What You Need to Know to Prepare for GDPR

By May 9, 2018 Strategy

Are you prepared for GDPR? On May 25, 2018, the strict regulations set by the European Parliament to protect European Union consumers’ personal data will be enforced globally and this affects Rezfusion users.

 

The European privacy law, called General Data Protection Regulation or GDPR regulates how businesses collect, store, and use data they obtain about their consumers. Regardless of business location, European Union residents must give consent to global businesses regarding their personal data. As mentioned in the post from WIRED, this includes: name, home address, location data, photo, email, bank details, posts on social networking sites, medical info, a computer’s IP address, or the identifier that tracks web and app use on smartphones, web cookies, beacons, any technology used for personalization, email marketing, and email tracking.

 

The GDPR Law In-Depth:

 

It is important to keep in mind that the law, although created for European Union and UK residents, will be enforced worldwide. American companies that collect and use EU citizens’ data are subject to comply. Also, as stated in ADWEEK’s post on GDPR, “if you’re delivering ads to Europeans, European regulators will assume that you are in compliance with GDPR.” The focus of the GDPR is on personal data security, not credit card data, and is therefore separate from PCI-DSS Compliance.

 

Companies that offer goods or services to EU citizens and monitor their behavior, even if companies do not charge for a service, must comply. The GDPR EU states that “if a firm has any European presence, it would need to either become compliant for its entire user base, or become capable of identifying EU residents within its user base and adhering to GDPR rules for that group only. If the manual data processing contributes toward a database, then you must comply, but if it does not enter a structured and accessible database, then the GDPR may not apply.”

 

Business Responsibilities:

 

Here are non-exhaustive examples, provided by the GDPR EU, for deciding whether there is sufficient evidence that a firm is within the GDPR’s scope.

 

  • May be insufficient evidence
    • The firm’s website is accessible to EU residents
    • The firm’s email or other contact details is accessible to EU residents
    • The firm is located in a non-EU state that speaks the same language as an EU state (commonly used language like English or Spanish)

  • May be sufficient evidence
    • The firm markets its goods and services in the same language as that which is generally used in an EU member state (includes more local languages, excludes English)
    • The firm lists prices in EU member state currencies (the Euro, British pound sterling, Swiss franc, etc.)
    • The firm cites EU customers or users

As claimed in many articles regarding GDPR but specifically from ADWEEK, it is required that brands include copy or a pop-up ad that allows consumers to give consent to share their personal dataBrands must be direct and clearly explain the purpose for collecting data and if it will be used to create behavior profiles. The EU GDPR Portal notes that types of consent that will no longer be accepted are opt-out and long illegible terms and conditions. Additionally, pages of fine print, pre-checked boxes, or requiring users to click yes to sign up is not considered consent. Consent must be opt-in, however, it can be given either electronically or verbally; yet as mentioned in the EU GDPR Portal, “the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent, distinguishable from other matters, and written in plain language.”

 

In regards to email marketing, it must be opt-in. As for the collection of new email addresses, most companies at a minimum will have to change their “subscribe” buttons to unchecked by default. As for existing mailing lists, the GDPR EU suggests three options: (1) delete the whole mailing list and start over; (2) attempt to segregate EU addresses from non-EU addresses; and (3) contact the addresses asking them to opt-in to continue receiving emails.

 

Companies can face financial penalties of 4 percent of a company’s global revenue, regardless of what percentage of that is online revenue, if they do not comply with the new regulation. View the complete list of the factors that determine the penalty amount.

 

Currently, as acknowledged by the EU GDPR Portal, “controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories are required to notify their data processing activities with local Data Protection Authority (DPA), meet the requirements for internal record keeping, as well as other actions.” Additionally, Privacy by Design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. It requires that controllers hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing. Visit the EU GDPR Portal for these requirements.

 

Furthermore, controllers must give guests access to all historical data. The GDPR EU notes that controllers must either attempt to obtain consent from data subjects or cease processing and unless otherwise requested, data can be supplied electronically. First, request for a copy of personal data is free, but you may charge a “reasonable fee” if additional requests are made.

 

EU Consumer Rights:

 

European Union consumers can restrict or object on processing their data, as well as the right to correct inaccurate information, and further actions that include:

 

Right to be Forgotten, or Data Erasure

The consumer can require that their online personal data is removed.

 

Data Portability

The consumer can request to receive their personal data and the right to obtain confirmation as to whether or not their personal data is being processed and for what purpose.

 

Complain to Supervisory Authority

The consumer has the ability to complain to an authority in the EU who can enforce fines.

 

WIRED has acknowledged that there has been mention of potential loopholes in the new GDPR law, such as, “businesses being allowed to process personal data without consent for limited reasons which includes “direct marketing,” through the mail, email, or online ads. However, companies must take into account a consumer’s expectation of how their data will be used and can’t infringe on the other consumer rights guaranteed under GDPR.”

 

Suggested Plan of Action:

 

Here are the steps that Bluetent is taking to adequately meet the requirements of GDPR, as well as steps that you can take:

 

  • Geo-specific disclaimer and opt-in interfaces.
    This is a pop-up that informs consumers that they are agreeing to let you use cookies or a script to best serve them.

 

  • Streamlined access to personal data for administrators.
    Be editorial about the information you are asking for. If you have a “Contact Us” form that asks for data that is not relevant to how you will serve consumers, you are better off removing it. This includes gender, race, political affiliations, etc. Bluetent is looking into streamlining your ability to pull reports from Rezfusion, so you can easily look up information about specific consumers. However, your exposure goes beyond your website if you are collecting data in other places because any personal information base is subject to GDPR.

 

  • Narrow the scope of Personally Identifiable Information (PII) collected where possible.
    The more you can narrow down the places where you store consumers’ PII, the better chance you have of avoiding a breach.

 

  • Content area for any unique notifications or disclaimers for customer-specific data collections.
    If you have partnered with a third-party who does more detailed tracking on user behavior, Bluetent is working on a mechanism that communicates a disclaimer about the personal information that is not directly related to the functionality of your provider; for instance, this could be your property management software.

 

Bluetent is still working through these requirements but will have these pieces in place by the May 25, 2018 deadline. If you have any questions, please reach out to our team. We are happy to help with this transition.

####

 

Sources:

 

EU GDPR Portal. “GDPR Key Changes.” EUGDPR.org. Accessed April 25, 2018,  https://www.eugdpr.org/eugdpr.org.html

 

GDPR EU. “Who Must Comply.” GDPREU.org. Accessed April 25, 2018, https://www.gdpreu.org/the-regulation/who-must-comply/

 

Johnson, Lauren. “What Brands, Publishers and Ad-Tech Companies Need to Know About GDPR.” ADWEEK (blog). Accessed April 25, 2018, http://www.adweek.com/digital/what-brands-publishers-and-ad-tech-companies-need-to-know-about-gdpr

 

Tiku, Nitasha. “Europe’s New Privacy Law Will Change the Web, and More.” WIRED (blog). March 19, 2018,  https://www.wired.com/story/europes-new-privacy-law-will-change-the-web-and-more/ (accessed April 25, 2018).