GDPR is coming – what it means for businesses, organizations (and websites) in Aruba
On May 25th 2018, some sweeping changes will take effect in EU legislation that will impact businesses or organizations that handle personal data or monitor behaviors of persons in the EU. Called the General Data Protection Regulation or GDPR for short, this new legislation will come into effect at the above date and will replace an aging EU Data Protection Directive which has been the de facto EU data protection standard since 1995.
Some definitions, also in the context of websites
- Data Subject: a person (in the EU) whose personal data is collected
- Data Controller: the business or individual that owns the website
- Data Processor / 3rd Party Processor: anyone that the Data Controller gives data to (e.g. a web developer, web hosting company, marketing company, email newsletter provider, analytics provider, web advertising platform, any service connected to your website, etc.)
What constitutes personal data?
In the context of GDPR, personal data is defined as any information that is identifiable to a person (Data Subject). This means that basic personal information such as name and email address falls under this classification. There is also a “sensitive personal information “ classification that would include such data as medical, financial, biometric or genetic information as examples.
Ambiguity and guidelines as to Territorial scope
However, as with many laws before it there has been confusion as to the territorial scope of the GDPR law and its interpretation. Article 3 of the GDPR relates to this aspect. The ambiguity arises in relation to businesses outside the EU that offer goods and services to persons in the EU, irrespective of whether a payment is required.
According to Article 3, the GDPR applies to businesses established in the EU, as well as to businesses based outside the EU that offer goods and services to, or that monitor, individuals in the EU.
This aspect is of particular interest to us here in Aruba, since businesses and organizations here are dealing with persons in the EU on a daily basis, not only due to our clear Dutch connections, but also due to our tourism industry that actively markets to and attracts visitors from various EU countries.
Due to the territorial ambiguity, the Court of Justice of the EU offered certain criteria in particular relating to websites outside the EU offering services to persons in the EU to indicate that if they satisfied one or more of the following factors, it would be a strong indication that they would be subject to GDPR legislation:
- Use of the language of a Member State (so basically translating a website to one or more EU Member State languages);
- Use of the currency of a Member State (if the currency is different than the currency of the home state);
- Use of a top-level domain name of a Member State; (e.g. actively using a domain extension for a Member State such as .nl or .be or .it)
- Mentions of customers based in a Member State; or
- Targeted advertising to consumers in a Member State.
If one looks at websites for businesses based in Aruba, it would appear that at least two or three and possibly more or all of the above would apply to several of them, and not just tourism-related ones.
Where do we stand in Aruba?
This is where the powers that be in Aruba need to provide clarity as to whether and how we fall under the scope of these imminent new laws. There is definitely still a lot of confusion and uncertainty, and also just outright lack of awareness of the legislation itself. Just last week I heard from someone in the IT field who emphatically stated that all Caribbean nations are exempt from the GDPR legislation, which also means Aruba so we have nothing to worry about. Based on available information, this appears to be quite incorrect.
Some time back I also questioned a couple of experts in the consulting community in Aruba about how GDPR would affect local businesses only to be told “What is GDPR?”.
Clearly we are generally unprepared, misinformed or unaware and we need to get our act together. Businesses need to know what their legal obligations and rights are in this respect. Many countries around the world have assembled specific task forces or Information Officers/Commissioners to deal with and inform their business communities about the GDPR impacts and responsibilities. Aruba has none. We also do not have any basic Personal Data Protection legislation. In terms of GDPR information we are operating in a disconcerting vacuum, with no locally issued information, publications or bulletins. The EU approved the legislation in 2016 and it comes into effect within a few weeks. Try a Google search for the term “GDPR and Aruba” and as at time of writing nothing relevant to our island comes up. Such is the lack of information.
In the event that we do not fall under the legislation, then we can all breathe a temporary sigh of relief. I say temporary because it is only a matter of time before other countries start to adopt similar approaches to privacy, because in and of itself, the GDPR law is a big step in the right direction relating to individuals’ data protection and privacy, especially in the light of what we have been seeing with large companies such as Facebook (Cambridge Analytica comes to mind) with regard to data protection and privacy. Furthermore the GDPR offers very practical guidelines on how to handle various aspects of data security, something that modern businesses need to be much more aware of.
Data Subjects’ rights and Data Controller obligations
If it is determined that we do fall under the legislation, which appears to be the case, then there are many things to take into account.
Individuals under the GDPR have the following rights:
- The right to be informed (of all aspects of collection and use of their personal data)
- The right of access (the right to confirmation whether their data is being processed and access to that data)
- The right to rectification (of inaccurate, incomplete data. Request can be verbal or in writing and a business would have one month to respond)
- The right to erasure (also known as the ‘right to be forgotten’ ie to have all their personal data erased)
- The right to restrict processing (meaning that individuals can request to restrict usage of their data)
- The right to data portability (the right to obtain and reuse their personal data for their own purposes across different services, especially if other services are more advantageous to them)
- The right to object (to certain activities such as use of their data for profiling, direct marketing, scientific/historical research)
- Rights in relation to automated decision making and profiling (the right to clarity where there is no human involvement in the decision making and profiling, the right to request human intervention)
Any business or organization that falls under the GDPR legislation must have a legal basis for handling personal information of persons in the EU. That legal basis may be one of the following:
- Consent: the individual has given clear consent for a business or organization to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract with the individual, or because they have asked a business or organization to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for a business or organization to comply with the law.
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for a business or organization to perform a task in the public interest or for official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for a business or organization’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Let’s define and talk about consent as it relates to a website
Although several of the above legal bases could potentially apply to a website, arguably the most common one would be consent. Let’s focus on this and how it relates to data collected on websites. Since websites are of particular interest to us and our clients, I will mention how the rights of persons in the EU relate to data that may be collected on a website, and what changes or actions would be necessary for compliance.
Consent must be:
- Granular: privacy as multiple, separate choices. For example, consent to receive a newsletter must not be an automatic opt-in during an account creation process.
- Unbundled: users cannot be forced to grant consent for one thing in order to receive another, they should be separate and distinct.
- No imbalance in the relationship: consent must not create an unfair relationship between the user and the business or organization. For example, obliging employees to make use of an app which monitored employees location after work hours would constitute an unfair relationship;
- Verifiable and documented: website owners must be able to prove who gave their consent, how consent was given, what information they were given, what they agreed to, when they consented, and whether or not the user has withdrawn their consent.
If consent is not given under one of these conditions, then a website owner’s use of the users’ data must be grounded in another legal basis.
Consent on Website Forms, Newsletter guidelines and clarity of Privacy policies
Below are some guidelines regarding consent, consent on website forms, and newsletter considerations.
General considerations about consent
- If for any of your contacts you have not obtained GDPR-proof consent or if you are unsure about whether or not their consent is compliant, it will be necessary to run a re-permission campaign to refresh that consent, or remove the subscriber from your mailing list. Data of inactive users must be deleted.
- A checkbox for subscribing to a newsletter should be unchecked by default. Ideally use double opt-in where a person has to re-confirm their intention to opt in to email marketing.
- Make sure that any sensitive information such as credit card information is not at risk of being exposed, especially when received by your organization. This is of particular interest in Aruba, since many websites still ask for and collect credit card information without giving proper attention to how this data is managed and secured once it leaves a secure website form and arrives at the organization. Mainly this has been due to the total lack of credit card processing options available to the local market – a seriously neglected facet of local business operations. Irrespective of this it is the responsibility of the business owner to ensure that they are managing sensitive financial information responsibly, now even more so under GDPR. If businesses cannot guarantee that credit card information is safe within their organization once it is received via their website, then do not ask for it on your website at all, and make alternative arrangements to process credit card charges.
- There should be an unsubscribe button on the emails / newsletters that is easy to find.
- The unsubscribe request must be honored within 10 days.
- Opting out should be free.
- Opting out should not require any other information beyond an email address.
- Subscribers should not be required to log in in order to opt out.
- Subscribers should not have to visit more than one page to submit their opt-out request.
The (new) way the Cookie crumbles
- Users must have a choice as to whether to accept a website being able to set cookies or not. The fact that they use a website does not automatically mean they agree to all cookies. There must be a choice.
- Like all other consent under the GDPR, consenting to cookies needs to be a clear and affirmative action.
- GDPR legislation specifies that a data subject should be able to withdraw consent just as easily as they gave it. This also applies to cookies. With cookies this will generally mean that they should be able to revoke consent through the same action as when they gave consent.
Websites collect data in many different ways, via cookies, via scripts such as Google Analytics, via tracking pixels such as Facebook pixels or Google remarketing pixels to name a couple. All these need to be clearly outlined in terms of what information is collected, if it is made anonymous or not, why it is collected and what is done with it.
Avoid vague “third parties” terminology. Be explicit and clear about who those third parties are and what they do with data collected, and also their relationship with your website (e.g. service provider, affiliate etc.)
Make it easy for users to request to view, correct or delete their personal data by including clear information on how they can do that, who they can contact. This is very important for compliance with the users new rights under GDPR.
Looking beyond websites and into organizations’ data policies
GDPR compliance goes way beyond your website. Once data enters your organization, the methods of storing that data, backing it up, determining who can access that data, and how it is managed in general within your organization are very important aspects of GDPR compliance.
GDPR should be a strong motivator to give serious thought to how data is stored, used and generally handled within organizations across the board. Potential consequences of non-compliance are significant, with regulators having the authority to impose a fine that is up to the greater of €20 million or 4% of global annual turnover in the prior year of the offending party. That should be food for thought for a small country let alone a small business.
*Update: reference was made previously to EU citizens, but in fact the definition appears to be broader and refers to ‘data subjects in the EU’ in the sense of being physically present in the EU. Thank you legislation for being anything but clear-cut! See: https://www.lexology.com/library/detail.aspx?g=70046340-607b-4620-a680-6b6a0cefaf47
Published on May 9th 2018. Written by Mark Cesareo.