For starters, it’s important to understand the reach of these rules and regulations. The GDPR requires online domains and all web entities, regardless of purpose, to perform a series of user privacy enhancing actions while interacting with EU customers based in Europe.
The legal consequences of not complying with GDPR guidelines have also been clearly defined and leave little to the imagination. Companies in violation of the GDPR may be fined between 2% to 4% of their annual global turnover or up €20 million, whichever is higher. Frequent GDPR violations can raise the level of legal penalties to the €40 million range.
The GDPR Compliance Checklist
The GDPR is a complex 11 chaptered document with 99 articles that cover a wide range of user privacy issues. This set of regulations can be hard to digest and interpret, which is where this checklist enters the picture. The ultimate GDPR compliance checklist highlights and lays out all of the main bases that you have to cover systematically to achieve GDPR compliance.
1. Data Privacy Impact Assessment (DPIA)
With the GDPR in in full swing, a DPIA can be extremely helpful for online publishers, who are now officially defined as data controllers (fully responsible for GDPR breaches). In a nutshell, DPIA is a risk management process. It helps map and analyze the privacy risks your operations create, eventually enabling you to come up with an optimization plan.
A.Identify the privacy risks and Evaluate Privacy Solutions
Your first challenge is to map the data collection points where you are collecting Personally Identifiable Information (PII) data from your customers and identify the privacy risks that exist while processing them. Data controllers (i.e – online publishers) should pay extra attention to PII data that is processed by third party services.
Furthermore, these third party services often use fourth- and fifth party services to enhance performance or add more functionality. However, the authorizations you’ve granted were meant to be limited solely to the third party services. But now, fourth- and fifth party services are also accessing your data and possibly impacting your GDPR compliance.
B. Record the DPIA results and Integrate Into the Project Plan
After analyzing and understanding the privacy challenges in the ecosystem, the data controller should record all findings. Your next step should be to implement required mechanisms for enforcing personal data protection. Furthermore, the selected mechanisms need to be demonstrated adequately to prove GDPR compliance.
C. Collaborate with Internal and External Stakeholders
Online publishers need to know what exactly the third party vendors are doing with their customers’ PII data and how exactly it’s being processed. This collaboration is vital for GDPR compliance.
2. Policies and Procedures
Mandatory documents to enforce GDPR compliance include the following:
Personal Data Protection Policy (Article 24) – a top-level document for managing privacy in your company, which defines what you want to achieve and how.
Privacy Notice (Articles 12, 13, and 14) – this document explains in simple words how you will process personal data of your customers, website visitors, and others. Its recommended to publish this in your website for optimal transparency.
Data Retention Schedule (Article 30) – lists all points of PII data collections and describes how long each type of data will be kept/stored.
Data Retention Policy (Articles 5, 13, 17, and 30) – it describes the process of deciding how long a particular type of personal data will be kept, and how it will be securely destroyed after the processing is completed.
Parental Consent Form (Article 8) – if the data subject is a minor below the age of 16 years, then a parent needs to provide the consent for processing his personal data. GDPR treats the breach of this protocol very seriously.
DPIA Register (Article 35) – this is where all the results from your Data Protection Impact Assessment (DPIA) will be saved after being recorded and analyzed.
The procedure revolving GDPR breaches needs to be clear to avoid any reporting delays. When a PII data leak is detected, the data controller needs to record the event in the Data Breach Register (Article 33). There is also a requirement to notify the relevant Supervisory Authority about the incident, while also updating the affected customers (Article 33 and 34).
3. Notices and Consent
Data controllers need to make sure that that have user consent to collect personal data. The online publisher needs to be able to demonstrate that the data subject has consented to processing of his or her personal data, ideally via an intelligible and easily accessible form, using clear language. Furthermore, users now have the right to withdraw their consent at any time.
4. Data Retention Policy
GDPR will introduce laws that will make the storage limitation principle considerably stricter. Soon, it will be illegal for data processing to be excessive in relation to the purpose of acquiring such information. Specific time limits will be set for both the processing and reviewing of data, while the handling of personal data should remain explicit and transparent.
It’s also important to make sure that all third party vendors are encrypting the data before and after it is processed and/or transmitted to fourth and fifth party providers.
5. Personal Data Collecting and Processing
First and foremost, the data controller should assign a Data Protection Officer (DPO) when there are significant amounts of DII data being collected and processed. Online publishers definitely belong to this category. The DPO has the responsibility of advising the company about GDPR compliance and monitoring the activities from the legal standpoint.
Special attention needs to be given to PII data collection (and documentation) from minors below the age of 16. With more and more kids surfing the web and becoming legitimate customers, parental consent will be required before collecting sensitive information from them. Also, consent requests will have to be clear, simple and easy-to-understand.
Third party vendors are becoming increasingly necessary for modern online publishers to remain profitable. These services can appear to be perfectly functional, they are basically autonomous components that are working independently, often while compromising user privacy. Many also make use of fourth and fifth party services to gain added functionality.
Compliance is further complicated due to the way third party solutions work. Your PII data can potentially reach new data processors in the form of fourth and fifth party services. A proper GDPR audit should go beyond first party software on the website and include third party services in Ad Tech and MarTech stacks for a through inspection.
Remember, GDPR Doesn’t End With Just One Audit
A good GDPR audit doesn’t mean your Ad Tech stacks will stay compliant in the long run. Third party vendors often make code changes that alter the way your PII data is processed or in extreme cases stored, which is a violation of the GDPR guidelines. New fourth and fifth party vendors, who can potentially be completely non compliant, can also enter the fray.
The meaning of this ongoing risk is that online publications have to be on the top of things and monitor their ecosystem, especially Ad Tech and MarTech stacks, in real time.