We’re one month away from the GDPR (technically 5 weeks and 1 day), and businesses are are wrangling their teams together to get processes and compliance in place. In our latest webinar hosted by Kyle Robbins, JD, Legal Solutions & Privacy at PactSafe, we discuss what we know about May 25’s GDPR, as well as:
- Why Consent Should be a pre-May 25 priority
- Article 7 Requirements & WP29 Suggestions
- Common Failures & Mistakes
- Implementing A Solution (Quickly!)
Below is a quick breakdown of the webinar. See the full video recap below, and tweet us your questions and comments @PactSafe with #PactSafeGDPR.
Why your organization should have GDPR fever:
The risks for not complying with the GDPR are real, and they will be enforced. Once audited, organizations will have 30 days to provide proof and record of consent of use of users’ data. 4% of annual revenues serves as one of the penalties for non-compliance, and 100 organization lists are rumored to be held by certain DPAs.
Consent has seemed to be pushed down the priority list at some organizations, which is a major miscalculation. Consent is the easiest thing regulators can see, and several organizations don’t have a plan in place to track and manage data consent.
If you haven’t made your compliance plan yet, here’s what you need to know:
Below are five areas you need to look into in your organization for compliance:
- Your organization’s role as a data handler: Controller, processor, subprocessor, hybrid, etc.
- All of your collection points of personal data: Lead submission, employees, our end users passing us data, etc.
- Each legal basis for collecting that data: Consent, legitimate interests, etc
- Breach notifications and technical gaps
- How you will manage individual rights: Consent collection, rights requests, and more.
Here’s exactly what the GDPR will ask an organization for when it comes to consent:
Below are the GDPR Article 7 requirements for May 25’s GDPR:
- Clear consent that is freely given
- Clearly distinguishable from other agreements
- Easily accessed
- Uses clear and plain language
- Be able to “demonstrate that the data subject has consented to the processing of his or her personal data.
So what does this mean? It means the status quo for how a majority of organizations manage consent must change. The current practices at risk are a user’s experience for how they opt-in into a business and how a businesses manages and tracks a user’s opt-in.
What you need to do to become compliant today:
Below are some specific things you’ll need, per the advice of the WP29 working group:
Front end UI (user interface) changes:
- No more preticked boxes
- Require an actual, active opt-in that isn’t tied to a “log in” button
- Clear and plain language
- An opt-out mechanism
- Granular consents
On the backend, we typically see four common failures:
- Records that are suspect, asynchronous, rely on dev logs, or can be tampered with
- No workflows around privacy updates or changes
- Zero version control
- Lack of centralization and inflexibility
Here are back end changes to make that put aside the common mishaps above:
- The name or other identifier of the data subject that consented;
- The dated document, a timestamp, or note of when an oral consent was made;
- The document or data capture form by which the data subject submitted his or her data.
- Consent receipt mechanisms can be especially helpful in automatically generating such records.
Yes, we know this is a lot! That’s why we built a proven, trusted solution for privacy consent:
Built by lawyers, for lawyers, PactSafe’s consent management platform leans on our history of helping enterprise organizations protect their online terms and policies, while streamlining workflows behind the scenes.
This is just a highlight of our webinar. Watch the recording below for a full, in-depth breakdown of how to get your organization compliant for May 25’s GDPR today!