Should US Companies Worry About GDPR (EU General Data Protection Regulation)

March 8, 2018

This blog post is not legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand the GDPR. If you are concerned about complying with the GDPR, we recommend that you consult an attorney familiar with the new laws.

If you collect data from EU citizens (referred to as an "EU data subject"), including employees, GDPR applies to you – even if you're based outside the EU.

There are two primary roles to consider with personal data: the data controller and the data processor.

  • Controller – determines how and why personal data is processed
  • Processor – handles the technical processing of the data on the controller's behalf

The controller could be any business, charity or government agency and the processor could be any IT service provider - both need to abide by the GDPR.

In the case of Animus Rex, our clients are data controllers and we are data processors.

Because some of our clients are explicitly subject to GDPR, we are working toward GDPR compliance with them by May 25, 2018, the day the new regulations go into effect. Most of our clients are American-based companies and NGOs so the GDPR may have slipped under their radar.

We are advising all clients to strongly consider becoming compliant, even if they don't think they are subject to the GDPR regulations.

The reasons are simple:

  1. It protects you against risk.
    The new regulations may not affect you, but on the other hand, you may be holding data subject to the GDPR and not even know it.

  2. It's more secure.
    Knowing how data is stored or processed (both inside and outside your firewall), makes it less subject to breach.

  3. It's good business.
    The proper handling of personal data instills trust in your brand (you are serious about protecting their information) and helps to prevent costly data breaches.

  4. It prepares you for the future.
    With the EU operating at a higher standard, other countries are bound to follow (even the US). Doing this now, even if you don't have to sets you up for success and minimal pain in the future.

 

GDPR Basics

Consent - The request for consent must be given in an easy to understand plain language and it must be in an easily accessible format, with the purpose of data processing attached to that consent. Consent has to be distinguishable from other matters such as using the service and must be freely given and be as easy to withdraw as it was to be initially granted. 

Personal Data Definition - Personal data means any information relating to an identified or identifiable natural person. This will include unique identifiers, including, IP addresses and cookies (where they are used to uniquely identify the user or device). 

Right to Access - The person, whose data you are collecting, has the right to obtain confirmation of whether personal data concerning them is being processed, where it is being processed and for what purposes. This must be provided free of charge unless the request is repetitive, excessive or unfounded. 

Right to be Forgotten - The data subject can insist that the controller erase all personal data about them and stop the processing of it by third parties. The controller can object based on if there is public interest in the availability of the data. 

Breach Notification - Breach Notification must be sent to the EU Information Commissioners Office (ICO) and must be done within 72 hours of becoming aware of the breach. The data subject must also be notified without undue delay if it is likely to result in risk to their rights and freedoms. 

Privacy by Design – Data controllers (you) must implement appropriate technical and organizational measures to meet the GDPR requirements; i.e. hold and process only data that is absolutely necessary for the completion of specific tasks, and limit access to personal data to those doing the processing (your internal marketing or IT team, your web developer and host). This also means that if the data is no longer relevant for a specific task, that you should consider removing it.

Data Portability - The new regulation will give individuals the right to transfer their data from one controller to another. So organizations, on request, must be able to deliver a person's data in a suitable format. Data collected via website forms can be immediately compliant by providing an emailed copy to the user instantly without needing any further handling. There should, however, still be a mechanism in place to find and report out any personal information stored on the website.

Data Protection Officers (DPO) - It will be required to appoint a DPO - who can either be a contractor, new hire or a member of the organization's staff. It is important to note that not all organizations are obliged to have a DPO, more information can be found in the A29 Guidance. Again, we are not lawyers, but it's our understanding that most American companies do not need to have a DPO.

 

What Animus Rex is doing as a data processor

We are in the process of migrating our systems to Google Cloud Platform (GCP) for a secure and highly available service at scale. This will be in place well in advance of the May 25 deadline and we will prioritize clients who are known EU Data Controllers first.

  • At a high level, GCP provides us with:
    • Information Security Team
    • Data Center Physical Security
    • Server and Software Stack Security
    • Trusted Server Boot (purpose built custom chips)
    • Data Access Security
    • Secure Data Disposal
  • Comprehensive Compliance and Certifications
    • SSAE16 / ISAE 3402 Type II (SOC 1, SOC 2, SOC 3)
    • ISO 27001 and 27002 for Cloud Services
    • ISO 27017 for Cloud Security
    • ISO 27018 for Cloud Privacy
    • FedRAMP ATO for App Engine
    • PCI DSS v3.2
    • Certificates can be found on the GCP security compliance page
    At the platform level, security features include
    • Secured Service APIs and Authenticated Access
    • Engine Access Logging
    • Data Encryption (in transit and at rest)
    • Security Global Network (and direct links to most major ISPs)
    • Intrusion Detection
    • Security Scanning
  • At the application level
    • OS and Application Patches (active live patching)
    • User and Credential Management
    • Network Firewall Rule Maintenance
    • Penetration Testing
    • Sensitive Data Management
    • Application Logging and Monitoring
  • Upon this solid base, our Eskort Application and internal processes provide
    • Privacy and security by design principals
    • Strict access control
    • Administrative IP restrictions
    • Data encryption in transit and at rest
    • Incident response and recovery
    • Ability to remove personal information (right to be forgotten principals) including all daily backups and historic full website archives
    • Periodic self-run security reviews and penetration testing
    • Cooperation with any client who wishes to conduct an independent 3rd party security review or penetration test
    • Security and privacy awareness training for our staff

Common Website Issues

Initial binary question:

  • Do you store personal information on your website (form submissions, alumni database, newsletter lists, resume submissions, etc.)? 
  • If you *do not* storing any personally identifiable information, then this does not apply to you.

Assuming you *do* store personal information, you may wish to consider the following:

  • Proper Consent
    • Ask for affirmative consent when collecting personal data (e.g., opt-in by default)
    • Do not pre-check forms by default (e.g., having "I want to get your newsletter" checked by default - it should be unchecked by default)
    • Do not bundle offers (e.g., don't sign someone up for your newsletter when they fill out a general request form, make that a separate opt-in option)
    • Allow for granularity (e.g., sign up for newsletters and special offers separately)
    • Use clear and unambiguous language in your offers
  • Removing consent and purging data
    • Provide an easy and granular means for a user to opt-out of a list or profile
    • Provide an easy ability for a user to request their data be completely removed from your system
  • Google Analytics (GA)
    • By default, GA collects and aggregates data anonymously and is compliant with GDPR
    • The cookies GA uses have been deemed *not* to require consent since they are not storing personal information
    • If you've added any custom variables/dimensions/segments to GA that store personally identifiable information, you'll need to remove those customizations
  • What about cookies?
    • See: http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm

      Upshot:
      • Cookies that only track session state (e.g., Eskort login cookie) or anonymous page tracking (e.g., Google Analytics) do not require a cookie banner providing notice or asking for consent. That covers 90%+ of our clients.
      • Cookies that *do* track individuals or devices, will need a cookie banner (a notice that pops up that a user must clear) that informs the visitor in a clear and unambiguous way that cookies are being and what they're being used for -- and has an opt-in checkbox to garner their consent.
  • Policy Pages
    • It's advisable to have a Cookie Policy published on your website that clearly states what cookies you use and why they are being used -- even if it's just tracking cookies.
    • Again, the vast majority of our clients only have Google Analytics cookies and our Eskort session cookie. A few have additional cookies from third-party tracking systems.
    • Have you reviewed your privacy policy and terms of service recently? Are they in line with your actual practices? Do you offer an easy way for a site visitor to get in touch with you from that page?
  • If you have any advertising, re-marketing code or 3rd party tracking software (beyond Google Analytics) that is known or suspected to track individuals or store personal data, you should check with those 3rd party tracking or software companies to see how they're handling GDPR. 
  • Other
    • Consider self-certifying for the Privacy Shield Program: 
      https://www.privacyshield.gov/US-Businesses
    • Consider double-opt-in (where an email is sent to the user and they have to actively confirm the request from a link in the email) for forms such as newsletter signups to confirm the user wants the email and is not being arbitrarily signed up by a third party.
    • Consider what is done with data that are exported/removed from the website (lists that go into other systems)

See this post for a pictorial breakdown:
Ways to Make Your Website GDPR Compliant

Also, please be aware that though the regulations go into place on May 25, there is still some ambiguity in the practical application, so watch this space.

We hope this helps! Please contact us with questions or concerns.

Additional Resources

Official GDPR Portal:
https://www.eugdpr.org/

EU Legislation on the use cookies
http://ec.europa.eu/ipg/basics/legal/cookies/index_en.htm

12-step guide to GDPR compliance
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf

EU Guide on consent
https://ico.org.uk/media/about-the-ico/consultations/2013551/draft-gdpr-consent-guidance-for-consultation-201703.pdf

Google Cloud and the GDPR
https://www.google.com/cloud/security/gdpr/