Updated April 24th, 2018
This article does not constitute legal advice, nor is this information intended to create or rise to the level of an attorney-client relationship. You should seek professional legal advice where appropriate.
From the Criteo Privacy Team
The May 2018 deadline for General Data Protection Regulation (GDPR) compliance is coming up, which means if you haven’t already, it’s time to evaluate your company’s situation in terms of compliance.
GDPR requires companies within or that retrieves data from EU countries to comply with new regulations involving data protection and data security. This also applies to global enterprises based outside the EU if they target an EU audience.
We’ve written before how we’re preparing for GDPR, but the next step is helping our clients and publisher partners make sure they know what steps to take to become GDPR compliant themselves.
GDPR can benefit your business by consolidating the various data privacy laws that exist across all 28 member states including the UK.
If you’re not compliant yet or only partially there, there is still time to plan, revise policies or invest in new technologies. Here are a few best practices to help start the compliance journey:
Designate a Data Protection Officer (DPO)
GDPR requires the designation of a Data Protection Officer (DPO) in any case where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of sensitive data (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, health conditions or sexual orientation, etc.) or personal data relating to criminal convictions and offences.
This role monitors and manages both the data and operations necessary by the regulations. Additionally, the DPO has to prove they have no conflicts of interest in terms of data protection for your organization.
Make Sure your DPO is Ready to Collaborate
Your employees are your best bet to help you understand what your company’s current data protection policies might be lacking. Make sure the DPO, legal, compliance and IT teams have a clear and comprehensive understanding of your company’s data practices. They should work together to help you create a compliant process by which your organization collects data in a collaborative manner.
Provide transparency and control
The information and consent language you provide to your customers should be as clear and transparent as possible. Your website should make explicitly clear exactly what your customers are opting in and out of, and exactly what types of data they are providing to you. This is a major factor of being compliant with GDPR and you can read more about it here.
Put data governance first
You must implement a Privacy Impact Assessment (PIA) process for all processing that might risk the rights of individuals. Additionally, your company must be able to explain how the personal data it collects are being collected, used, or even edited, and have processes in place that allow EU citizens to easily provide, review and/or reject the data. The GDPR states it’s mandatory to ensure your company’s data infrastructure maintains a record of processing activities and provides visibility into the compliance of your practices.
Monitor employee and contractor access to data
You must establish strict employee authorization policies that limit access to data and ensure privacy. These policies should be continuously updated to reflect your company needs and monitored for breaches, especially regarding data transfers. In Chapter V of GDPR, transfer destinations outside the EU must also meet the same protection and governance conditions as organizations within the EU.
GDPR requirements are stringent, and being wholly prepared for it will require much more than ticking boxes off a checklist. But GDPR, as we see it, can only be a good thing for businesses and consumers alike as it provides consistency and certainty around privacy and data-protection.