Attention: Clients with active website and web application projects in Europe, the General Data Protection Regulation (GDPR) will start being enforced in May 2018.
What is the GDPR? The GDPR (or General Data Protection Regulation) is a new regulatory directive, replacing a previous version from 1995—the Data Protection Directive 95/46/EC—and is intended to protect all EU citizens from privacy and data breaches. Although passed in April 2016, it will begin being enforced on May 25th, 2018.
Why this is important: The enforcement of the GDPR will impact any entity that holds personal information about its users. This “information” can be as simple as someone’s name to more complex details like an individual’s social media posts or IP address. The GDPR will apply to any business in the world that collects information from EU-based users, regardless of that company’s physical location.
What can we do to be prepared? You may already be aware and have taken (or will be taking) steps in anticipation of the impending enforcement date. The GDPR is confusing and convoluted, so we recommend reviewing information from reputable sources to become more familiar. Knowing what needs to be changed, and being proactive about it is the best course of action.
In addition to conducting independent research, we recommend bringing this matter to the attention of your general counsel and/or data privacy attorney, if possible, to ensure you are in full compliance. Firms have also been involving third-party GDPR specialists and consultants to do a full audit of the website to ensure they are in compliance.
Some firms have found that it’s more straightforward to approach this as a universal change, rather than keeping anything specific to the European location; giving everyone visiting the website the same experience.
What action will RubensteinTech take and when? Beyond the above, we recommend performing a thorough review of the cookies and/or tracking pixels being used on your website. (Cookies are one of the most common forms of storing user data from website visitors.) Current RubensteinTech clients can request a list of cookies being used, as well as a detailed breakdown of what each one does. We can also recommend other changes that will allow your website to be in full compliance with the GDPR. (Please contact Support to make this request.)
Our timeline for implementation will depend on the number of cookies, the type of cookies at hand, any further recommendations, etc. Disclosures should also include that our servers routinely store IP address information of site visitors, for security and compliance purposes, and may occasionally use anonymous session cookies for the purpose of maintaining site reliability.
Forms on the website that obtain any personal information from users should also be reviewed. Form data integration with external systems, like a CRM, should be taken into consideration. For example, there should be a process for regularly reviewing the preferences of CRM profiles to ensure users have recently opted in within the GDPR-required timeframes.
What happens if we do nothing? If your website is not compliant with the GDPR, your business may be subject to penalties. (Depending on the severity of the infraction, fines can range up to ~$25 million.)
It’s also worth noting that, while your website may not get flagged in violation immediately, it can happen at any time after the enforcement date. The GDPR is well-documented, but it’s not yet certain to what extent the EU will be enforcing this new law and who will be targeted. All business (and therefore websites) are subject to this new regulation.
Continuing to be proactive. In addition to the alert above, Google Analytics has a Data Processing Amendment that may require your attention. (The full amendment can be reviewed in your Google Analytics Account Settings.)
This affects anyone that has an active contract with Google (ie AdWords, DoubleClick, Analytics Suite, etc.). The full list can be found on Google’s Data Protection Terms page.
For more information on this matter, please visit the following:
—Key Changes with the GDPR
—Preparing for the GDPR
—Data Processing Amendment
—Google Ads Data Protection Terms: Service Information
—GDPR @ PwC
—GDPR @ Microsoft
—GDPR Compliance Checklist
—Akin Gump: The Impact of the General Data Protection Regulation on Investment Managers
—Bryan Cave: GDPR: The Most Frequently Asked Questions
—Bryan Cave: David A. Zetoony GDPR Thought Leadership
—Hunton & Williams: European Data Protection and Privacy
—Kramer Levin: The Final Race to GDPR: Are You on the Right Track?
—Milbank: Data Privacy and Information Security Group Client Alert
—Perkins Coie: GDPR and What Comes Next: The Parade of Horribles
—Pillsbury’s 10 Steps to GDPR Compliance
—Steptoe: Preparing for the GDPR: What Employers Should Be Doing Now
—Winston: Five Things You Can Do Now to Prepare for GDPR
—Orrick’s EU GDPR Readiness Assessment Tool