Many of you have been hard at work on figuring out what the heck to do about GDPR. As you know, on May 25th the European Union and U.K. are launching a data-privacy initiative that will affect how we all deal with personal data.
ePublishing is announcing a series of steps we are taking to support your GDPR needs.
First and foremost, we are in the process of becoming certified by Privacy Shield. Privacy Shield is “a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.”
Initiated by the United States and Switzerland, Privacy Shield has been adopted by the EU as a standard which meets GDPR requirements. So rest assured, when you work with ePublishing, you will be working with a certified provider in compliance with the required standards.
We have included a list of features ePublishing will provide* to make your own compliance with GDPR easier but first we need to cover some basics.
Here is an overview of what you need to consider regarding GDPR. As you know, we are not international lawyers. We're not even domestic lawyers. Heck, we aren't even closet lawyers, so please do whatever research you feel is needed to comply with GDPR.
- The General Data Protection Regulation (GDPR) is a set of regulations to protect the personal data of Europeans. It is an EU law, including the UK despite Brexit, that asserts the right to penalize American (or other foreign) companies that violate it. If you collect data from people in the EU – and every website that collects data does – then they expect you to meet these regulations. You do not need to sell anything in the EU or have offices there. Violators can be fined up to 4% of your total sales.
- The Regulations cover 260 pages. We don’t recommend you read it all; but you do want to learn enough to meet the requirements. Experts suggest that for most publishers, if you read enough commentary and take the necessary steps to show an effort to comply, there is no reason to overreact. Chances are any client reading this will never be in the cross hairs of the EU.
- Check this questionnaire from Bavaria, which covers what you really need to have paid attention to, and then some: https://www.lda.bayern.de/media/gdpr_questionnaire.pdf
- A basic premise is that Europeans have the right to own their own data: right of access, right of erasure and to be forgotten, right of rectification, right to restriction of processing. Chances are you are not collecting much more than name, address, company, job title, etc. These rights are intended more to protect against companies that “process data” than to companies using data for email lists. A prime example would be if you were determining credit scores, then you’d be processing. If you are not processing data, you have less exposure.
- Companies with fewer than 250 employees do not need to keep a record of processing activities: https://gdpr-info.eu/art-30-gdpr/
- Transparency is the main tool you have to comply. This means you should be reviewing privacy notifications and consent messaging. In addition to your main privacy notice page, you will want to have a notice for anyone signing up on web forms for anything. Likely you will want to offer a link to your privacy page (or send the user to their profile page; see #3 below), in addition to a short statement about how you use data. Bottom line: make sure your consent language is easily understandable.
- In support of transparency, you will need to have completed a review to document what data you hold and to know exactly how it is being used. What personal data do you already possess? How was it obtained? What data is being appended to that? Has consent been obtained to use your existing data? How will you obtain consent going forward? You will need to appoint a Data Protection Officer (DPO). This does not mean adding headcount. Your audience development manager or IT director are prime candidates. Consider the person who has done your data review as a potential DPO.
- You are considered the “controller” of your own data. Vendors like ePublishing and others might occasionally act as “processors” of data, but are considered under your control. (In the case of ePublishing, you will be working with a processor certified by Privacy Shield.) Neither ePublishing nor any other 3rd-party vendor can wave a magic wand and make you GDPR-compliant. As stated above, your compliance is based on your own policies and procedures.
- You are required to notify EU/UK members if there is a data breach. If any data ePublishing holds is ever breached, we will let clients know without delay.
What We are Doing to Help
- Warnings. If you do not already, you can add "cookie warnings" for visitors to your site.
- Tagging. Our User Manager has three options for tagging your records:
Opt-in for postal mailings
Opt-in for 3rd party mailings.
- Making user response easy. We can help you designate a spot on the Client Profile page template sidebar (or other location) for a medium rectangle ad (300x250) to deliver a GDPR message targeted to EU residents. By setting your ad server to deliver a message to this space to all EU/UK visitors only, you can invite those who have questions about their data to respond. This will prevent US-located visitors (and others) from being invited to bother you with extra questions. The ad's link should take them to a Page Manager landing page, with a form that will notify you that an individual has a question or problem. This generates an email to your DPO.
- Making internal audits easy. If you ever need to review your data, we are adding a GDPR-focused report which will list all users within the 28 countries in the Eurozone and display their opt-in/opt-out status for all regulated points.
- Deleting results of cookie tracking. ePublishing is probably tracking your logged-in visitors for articles they read, what they download, etc. If you ever need to jettison the tracking history of an individual, all you need to do is delete the user manager record of that individual. The data we have recorded will become anonymous. Under GDPR, data that cannot be linked to a specific person is no longer personal data.