It’s all over the news: in Europe, data privacy is about to be turned upside down.
In preparation for the General Data Privacy Regulation, also known as GDPR, many companies are making massive changes to internal policies and procedures to ensure compliance. With fines of up to €20 million or 4% of your global annual revenue, there’s enough incentive to prompt company action.
Before we get into the many details of GDPR, let’s look at a little bit of history…
The history behind GDPR
For those of you that aren’t European law experts, GDPR is replacing the Data Protection Directive, which was signed into law in 1995. Among privacy activists, this outdated directive was known for a lack of control over personal data, weak outside transfer standards, and poor enforcement procedures. GDPR aims to establish, strengthen, and unify each of the three goals. GDPR’s official implementation and enforcement schedule is set to begin on May 25, 2018. GDPR will apply to all “controllers” and “processors” of European data.
The new law increases the scope of data protection for European individuals — it levies large fines to controllers and processors who violate the new regulations. Additionally, it extends the powers of already established local supervisory authorities to ensure compliance and enforcement.
What’s a Controller and a Processor?
If you’ve been reading up on this legislation, you’ve probably seen the terms “processor” and “controller” thrown around. The “controller” refers to those who manage or determine how the data is processed (our clients/you) and the “processor” refers to the companies or firms doing the physical processing on behalf of the controller (software companies/us).
GDPR officially defines the processor as the following:
“a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
Under GDPR, “personal data” is defined as the following:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
The Controller, the other half in this equation, is defined as this:
“the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”
Essentially, software companies (like us) are the “processor”, processing data on the behalf of controllers (or our clients/users).
Who does GDPR effect?
GDPR applies to almost any controller or processor who touches data. It doesn’t matter if your company is based in the US or another country outside of the European Union. If you deal with European data (about European individuals), you are bound by GDPR. Both B2B and B2C companies are affected by upcoming legislation — GDPR does not distinguish between or pardon either one.
If you’re in the UK, you may be thinking you’re exempt from the new regulations. Unfortunately, you’re not. Brexit does not exempt the UK from GDPR ( GDPR comes into effect before the official implementation of Brexit). After Brexit becomes official, the UK will be required to implement an equivalent to GDPR in order to maintain trade with the rest of the European Union.
Please note: the above situations are mere examples — it’s important to verify the compliance requirements of your specific situation with an attorney.
Recommended action to achieve compliance
Under GDPR, our clients (the Controllers) carry both the liability and responsibility to implement practices to ensure full GDPR compliance. No matter what software is used, it’s absolutely imperative that you verify you aren’t tracking any personal data from European citizens.
In order for our clients to maintain compliance, we’re requiring Mouseflow clients to take the following action:
- Exclude all personal data at all times. This can be done by the following:
- Blocking the collection of data from form fields that may contain PII (we’ll enable this by default for all EU-based accounts soon, including ways to opt-in fields which do not)
- Anonymizing all IP addresses
- Excluding/replacing sensitive personal data printed onto the page source
- Running manual tests to ensure exclusions are functioning properly
- Updating privacy policies and related documents accordingly
Please note: the above recommendations are not official legal advice. It is highly suggested to consult with an attorney to verify the compliance demands of your specific situation.
It’s imperative to begin the process of understanding GDPR today.. don’t wait!
While many companies scramble to figure out the guidelines, make sure you have a plan in place to avoid tracking personal data at the get-go. Review and implement personal data measures with all of your software vendors to ensure compliance.