It’s still not too late – but it soon will be! The GDPR deadline is approaching fast and causing some folks to feel the heat. These Top 10 tips will enable online print providers to take some important action.
It remains to be seen within the next few days whether the politicians come up with a few more “simplification” arrangements for certain groups shortly before the new Regulation enters into force. What is definite though is that the GDPR will have to be implemented very soon – and that applies to all businesses. With the support of Dr. Martin Schirmbacher I have already reported here on the potential “hiccups” that online print providers are set to be faced with when the GDPR enters into force. And because this issue is more urgent than ever, Martin Schirmbacher, an attorney specializing in IT law at Härting Rechtsanwälte and legal adviser to the Initiative Online Print, has compiled a helpful Top 10 hit list for those now being forced to take swift implementation action.
The GDPR is now just around the corner and an amazing number of companies have not prepared or only prepared very inadequately for it. Many companies, including several online print providers, have not taken any action at all to comply with the new data protection law. Anybody who makes inquiries to specialist consultants or attorneys at this late stage is greeted with a nervous, weary smile. Full GDPR compliance is no longer achievable by the May 25 deadline. But nobody need panic. What’s important is to prioritize. Plenty of the to-dos can also be actioned or completed once the General Data Protection Regulation has entered into force.
The following list is designed to provide a little guidance. The topics are listed in order of urgency, not importance.
Top 1: Reobtaining opt-ins
According to GDPR Recital 171, consents obtained in the past continue to be valid if the nature of the consent already provided corresponds to the terms of the GDPR. The ‘Düsseldorfer Kreis’, the association of German data protection supervisory authorities, assumes that this will generally be the case, unless the consent contravenes the new coupling ban or is targeted at minors. Anybody who previously obtained and documented opt-ins does not have to obtain new consents. Many re-opt-in campaigns are illegal and/or pointless (and in many cases ineffective too). If you have opt-ins but these are not sufficiently documented and you therefore wish to obtain new consents, then you must do that now.
Top 2: Amendment of data protection statements
The data protection statement on an online print provider’s website must be amended to comply with the GDPR. In particular it needs to provide information about data collection. Consumer information transparency requirements are more stringent than those that comply with prevailing law. For example, the legal basis for data processing must be stated. If the Federal Data Protection Act (BDSG) is still mentioned in the data protection statement, then that statement needs to be amended.
Top 3: CDP agreements with agencies/tool providers
If personal data is contract-processed by a tool provider or other agency, then a contract data processing agreement must be concluded. In accordance with Art. 24 of the GDPR the person(s) responsible must ensure that data processing is performed in a lawful manner. Furthermore that person has a legal responsibility only to select and work with contract data processors that can adequately guarantee to put appropriate technical and organizational arrangements in place in accordance with Art. 28 Par. 1 of the GDPR.
Top 4: Cookie banner
The legal position in respect of cookies and the need to obtain consent is currently TBA. You can’t really tell from the GDPR whether a cookie banner is required or not. Furthermore the relationship between European data protection rules and the German Teleservices Act has not been clarified. The data protection authorities evidently regard every tracking cookie as requiring consent to be obtained. That is certainly not correct, although the adoption of a cookie banner may be advisable. A distinction between essential cookies (for instance for a shopping basket function) and tracking/targeting cookies should be made.
Top 5: Legal checks on CRM/DMP
According to GDPR Recital 47 / P.7, the processing of personal data for the purposes of direct advertising can be regarded as data processing that serves a legitimate interest. In certain circumstances the personalization of advertising can be based on a legitimate interest. However the aim of the GDPR is to prevent total customer transparency, meaning at any rate that creating in-depth customer profiles requires consent. Every CRM system and every data mining platform, in which customer data is stored, should therefore be subjected to detailed legal checks.
Top 6: Data protection officer
According to Art. 37 of the GDPR a data protection officer must be appointed, if data processing is the company’s core activity. Furthermore § 38 of the BDSG stipulates that a data protection officer is required if generally at least 10 people within a company are permanently occupied with data processing activities, which is new for Germany. Companies face a massive fine if they don’t appoint a data protection officer. This minimum of 10 persons includes all call center agents, service or accounts staff. This does not apply to printing or packing staff, even if they see order-related data or occasionally come into contact with personal data as part fulfilling customer orders.
Top 7: Right-to-information process
General requirements as regards the rights of those affected are determined by Art. 12 of the GDPR. In particular companies are required to provide information without delay as soon as anybody exercises their right to information about their stored personal data. An internal company process therefore needs to be created, which enables rapid merging of all stored data relating to the customer or potential customer.
Top 8: Facebook plugins
The ECJ will shortly deliver judgments about two fundamental issues relating to Facebook: who is responsible for data collection on a company’s Facebook page and is the inclusion of a Facebook widget or the Like button regarded as data collection by the website operator and data transfer to Facebook? It remains to be seen what happens. Until then it seems advisable to opt for a solution that allows for the transfer of IP data to the social network only after the website user has consented (e.g. Shariff).
Top 9: Processing activities directory
Very important but not ultra-urgent is the completion of a directory of processing activities. This is the substantiation of general accountability obligations as stated in Art. 5 Par. 2 of the GDPR and provides the data protection authorities with a starting point for any inspections they carry out. All online print providers will have to keep such a directory, irrespective of company size. This is namely a permanent obligation if the processing of personal data is not just an occasional activity within the company. That includes companies that always print business cards. For each individual data processing procedure the directory must contain at least the following information: data processing name and purpose, legal basis, processing description, parties affected and recipients as well as those authorized to access the data, personal data / data categories, standard deadlines for the deletion of data plus a general description of technical and organizational measures in place.
Top 10: Data deletion concept
What’s also important but not absolutely urgent is coming up with a data deletion concept. A deletion deadline must be determined for every item of legal basis-dependent stored data. Exceptions apply if statutory retention periods have been prescribed. Deletion concepts should be developed in order to ensure proper compliance with these periods/deadlines at all times. These concepts must then be put into practice to ensure that personal data is actually deleted as well.