Pushing GDPR Buttons
Background
GDPR has been one focus of my work for over a year, and the level of interest in GDPR compliance has exploded in the last couple months.(I hope to soon be able to announce a couple of GDPR projects I’ve been working on that should be of interest to the smaller businesses that have never dealt with this privacy stuff before and are worried and wondering about what they need to do, and to help all those new Data Protection Officers (DPOs) and smaller outsourced DPO services do their jobs. But I digress…)
Lots of people are now scrambling to try to meet the end of May deadline, motivated often by their interactions with their business partners who are also working on compliance.
This GDPR scramble mirrors what I saw in the healthcare context from when HHS started the HIPAA audit program a few years ago, and that I see flare up at times now when some kind of regulatory attention hits healthcare. What happens in the healthcare world is that “business associates” (as defined under HIPAA) of healthcare entities find out they need to take action to do something HIPAA compliance-related. Usually, such business associates are seeking help with “doing a HIPAA security or risk assessment” as a one-off project and they don’t realize the questions involved in that assessment will normally lead to needing to make significant business process changes that they had not considered. Or budgeted for. And they also don’t realize that the process isn’t simply about concrete security practices that they already have in place.
The vast majority of GDPR projects I see in the freelance networking world ask for “someone to rewrite our web site privacy policy and terms of use so that we are GDPR-compliant”. And most of those GDPR projects are people taking their first steps toward GDPR compliance. They may have some kind of information security program, but commonly lack any kind of existing, formal privacy management program.
The problem with such projects—literally all of those about which I have been approached or that I have found advertised since going full-time solo—is that people want help with the public-facing notices without having done any of the work that has to be done before they are ready to change those notices.
Work To Do Before Updating Web Site Notices
If you are considering a project to update your web notices to become GDPR-compliant and you don’t know what your company’s answers are to the questions that have to be answered in order to know what to put in the new notice, you have preliminary work to do before you post a revised notice. And probably quite a lot of it.Here, directly from the UK Information Commissioner’s Office (ICO), a leading data protection authority (DPA) source of user-friendly GDPR information, is a list of things that need to go into a GDPR-compliant web site privacy notice and/or web site terms of use:
- a description of your chosen lawful basis for processing personal information,
- your legitimate interests for the processing,
- a listing of the individuals’ rights (and how your business facilitates individuals exercising those rights),
- a description of automated decision-making and profiling that you use, and
- the source of the personal data you control or process.
Here’s a link to UK ICO main GDPR page:
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
You can’t beat the UK ICO as a go-to source for self-help information about privacy compliance, including for GDPR.
(Yes, I know: Brexit. Many of us who have been monitoring GDPR get that retort when we recommend the UK ICO as a source of GDPR guidance. They have been a leader in European privacy help, in easy-to-understand language, and they continue to provide new and refreshed tools and info. Think about it this way: They will still have a mission to help UK-based companies who handle personal information of other EU individuals to meet their compliance obligations domestically and under the GDPR. Makes you wonder why we aren’t getting similar information in any kind of significant volume from the U.S. authorities like the Federal Trade Commission (FTC). Oh, and: PM Theresa May has also made clear that the UK will be converting GDPR into full UK laws and thus, “GDPR will be law in the UK, too”. Almost forgot that part. But I digress. Again.)
All of the terms used in the ICO list above are defined within GDPR, and most of them are basic foundational privacy principles to anyone working within privacy compliance.
Without going into the full detail of the end-to-end GDPR compliance work, just note that this short list contains just a few examples. The list provides the most relevant short tally of big projects because this guidance is just for some of the work that directly ties to the content of your site notices.
A Closer Look at The GDPR Privacy Notice List
Taking just the first item: You cannot provide a description of the GDPR-defined “lawful basis for processing” that you have chosen, if you have not evaluated what lawful basis makes the most sense for your business, actually made a decision to choose one, and taken the time to describe (in writing) your choice and your justification for that choice.And that is just one tiny piece of this puzzle.
But also note that the third bullet stands in for a lot of work around how you handle the individual ability to exercise any or all of their 8 individual privacy rights under GDPR. And one of those rights is “the right to be informed”, which also has a lot to say about things like your web site privacy notice.
Risks Associated With Updating Notices Prematurely
I don’t doubt that you can find someone to help you rewrite your notice in a few hours and take your money and move on; however, taking that approach is doing nothing but adding to your risk of non-compliance. You would be far better served to have a notice that is out of compliance for those points where you haven’t done the work, and start at the beginning with GDPR. (We’ll save the general discussion about what to do about compliance when you didn’t do the work, for whatever reasons, including not knowing any better, for another post.) You could then either update your notice at each milestone where you’ve completed a chunk of the work, or do the full web site privacy policy and terms of use updates once you’re all done and the preliminary work is complete and the changes to your business processes are working.If you face any kind of EU data protection authority (DPA) attention or even individuals seeking to exercise their individual privacy rights under GDPR, I am convinced you would be much better off to show that you are completing the work properly but have not yet finished than to be found publishing a privacy notice on your site that says you do things that you don’t actually do yet. In addition to your GDPR compliance risks, you would also be upping your risk of FTC attention for that old compliance enforcement standby, UDAAPs, or being found committing “unfair, deceptive, or abusive acts or practices”.
PLEASE NOTE: As I say all the time, I am not an attorney and this is not legal advice. I am an operational privacy compliance professional.
You should consult with an attorney for legal advice, especially if you feel like you have high risk information or information processing, or have a higher likelihood of facing regulatory attention by not making full GDPR compliance before the deadline later this month.
I work very well with attorneys on projects such as these, should you find that your legal counsel is advising you about GDPR in a similar manner.
How I Can Help
If You Really Are Ready to Update Your Notices
If you’ve done the required GDPR work already, I can help you with your site notices and can usually turn around updated content after an initial call of a couple hours with the right subject matter experts to answer key questions and then a few hours to do the writing—so usually in one solid day of my time.If You Are Just Getting Started with GDPR
If you haven’t done the GDPR work already, I can definitely help you with that, too. But those are not projects that can be done in a few days—especially if you don’t have the familiarity with generally accepted privacy principles (GAPPs, which are sort of like GAAPs in accounting), privacy management, or how differently privacy compliance works outside the U.S. in day to day business.Please connect and share: