Posted on

GDPR: 10 Steps That Will Help Guide You Through The New E.U. Data Protection Framework

GDPR-Ten-Thins-To-Know-About-EU-
The new European data protection law, the General Data Protection Regulation ( GDPR ) comes into force on the 25th of May, 2018. The new framework poses considerable pressure on online and offline businesses of all sizes because it will strengthen the rules under which the personal data of European residents can be collected, stored, and disclosed. Despite its territorial scope, the GDPR will apply to organizations that do not have a physical presence in the European Union.

To guide you through the new E.U. data protection framework, we’ve provided you with a 10-step guideline that will allow you to better understand the formal requirements of the GDPR and the new personal data security standards.

1. Scope of the GDPR

Although the GDPR is a European legislation, it may apply to businesses located in other jurisdictions as well. More specifically, the GDPR applies to natural and legal persons that collect personal data and:

  • Are established in the E.U.;
  • Are not established in the E.U. but cooperate with data processors that are established in the E.U.; or
  • Are not established in the E.U. but collect personal data of E.U. residents or target them (e.g., offer them goods and services or monitor their behavior).
  • The GDPR will not be applicable if you are a natural person who accesses personal data in the course of a purely personal or household activity (e.g., browsing social media websites).

 2. Tracking personal data

The GDPR defines personal data as any information that allows you to identify a natural person. For instance, personal data may include personal names, physical addresses, email addresses, social security numbers, location data, genetic information, biometric data, health care data, and IP addresses.

The GDPR requires applying the principle of data minimization, meaning that you can collect and process only the amount of personal data that is required to provide the requested service.

In order to keep track of all of the personal data that you collect, store, access, share, and process online and offline, it is important to document such transactions for your own records. Also, in certain cases (e.g., if you employ more than 250 persons, collect personal data regularly, or target special categories of personal data) you may be obliged to maintain data processing records.  

It is important to note that the GDPR imposes stricter requirements (e.g., obtaining explicit consent) for special categories of personal data, such as a person’s racial or ethnic origin, political, religious, and philosophical opinions, trade union membership, genetic data, biometric data, healthcare data, and data concerning a natural person’s sex life or sexual orientation.

3. Collaboration with third parties

Under the GDPR, all third parties that have access to personal data collected by you, such as cloud storage providers, hosting providers, and newsletter providers, are considered to be data processors. The law stipulates that the relationship between you and data processors should be governed by data processing agreements, which should reflect (1) the types of personal data you provide access to, (2) the purposes of processing, (3) the duration of processing, (4) the applicable security measures, and (5) the mutual assistance in fulfilling your obligations under the GDPR.

If the third parties are located outside the EEA, you can disclose or transfer personal data only if certain conditions are met, including, but not limited to:

  • If the third party is established in the country that is “white-listed” by the E.U.;
  • If you conclude a contract with the third party on the basis of pre-approved contractual clauses or binding corporate rules;
  • If the data subject provides you with explicit consent to the disclosure or transfer of personal data; or
  • If the transfer is explicitly necessary for conclusion or performance of a contract.

 4. Consent

Consent for the collection and processing of personal data is one of the legal grounds for lawful data processing under the GDPR. To be valid, the consent should be prior, explicit, informed, and freely given (pre-ticked boxes are not allowed). The deviation from obtaining consent is permitted if the personal data is necessary for performing a contract with the data subject (e.g., booking an appointment, providing the requested service, or delivering a product), pursuing legitimate business interests, and in some other exceptional circumstances.

5. Data protection and storage

Under the GDPR, personal data can be retained only as long as its storage is necessary for the purpose for which the personal data was collected. Afterwards, the personal data should be deleted. Only in certain cases, when the storage of personal data is required by the applicable law (e.g., for accountancy purposes), businesses are allowed to retain personal data in order to comply with their legal obligations.

To protect personal data, appropriate organizational and technical security measures have to be taken (e.g., limited access to personal data by employees, anonymization, secured networks, and encryption) and you have to ensure that the data processors with whom you cooperate have also put equivalent security measures in place.

6. Data subjects’ rights

The GDPR provides data subjects with a number of rights with regard to their personal data. Indicate in your privacy policy those rights, and give instructions on how data subjects can exercise them. Such rights include:

  • The right to access personal data (e.g., getting a list of personal data you store about the data subject);
  • The right to correct personal data (e.g., change of contact details);
  • The right to erase personal data and object to profiling (i.e., “right to be forgotten”);
  • The right to restrict the processing of personal data;
  • The right to ask a data controller to provide another data controller with a list of personal data related to the data subject; and]
  • The right to launch a complaint about the handling of personal data.

7. Identification and transparency

Give your privacy policy the highest level of transparency. List clearly the types of personal data you collect, the purposes of collection, the grounds for processing, third parties that have access to personal data, and all your policies and procedures governing collection, storage, and the processing of personal data.  

Also, indicate your contact details clearly in your privacy policy, including the email and post addresses that can be used by data subjects to contact you with regard to personal data. Also, mention the timeframe in which you will respond to the data subject’s inquiries.

8. Children

The GDPR prohibits the collection and processing of children’s personal data without obtaining a parental or guardian consent in advance. In order to comply with this requirement, consider putting systems in place to verify individuals’ ages and to obtain the requested consent. Also, provide parents or guardians with the opportunity to request the erasure of children’s personal data that has been obtained without their consent.

9. Data breaches

The GDPR puts in place strict guidelines for reporting security breaches that affect personal data. In a nutshell, you have to inform the supervisory authority within 72 hours from the moment you become aware of a breach, and then provide details about the affected personal data. Should a data breach occur in data processors’ systems, the data processors have to immediately notify you. Make sure that you have the right procedures in place to detect, report, and investigate a data breach.

10. Data Protection Officer (DPO)

You can voluntarily appoint a DPO as a person who will assist you in complying with the GDPR, as well as tracking and documenting the transactions involving personal data within your organization. The GDPR explicitly requires appointing a DPO if:

  • Your business relies mainly on processing of personal data on a large scale;
  • You process special categories of personal data on a large scale.
  • The processing of personal data may cause a threat to rights and freedoms of data subjects; or
  • You are a public body or authority.
Posted on

Best Practices For Your Company’s Social Media

Best-Social Media-Practices

Facebook, Twitter, Instagram, Snapchat, LinkedIn, Pinterest, the list goes on and on and on. The reality is that the vast majority of Americans spend a considerable amount of time online, so much so that the average consumer is constantly bombarded by information.

For a business, standing out in social media requires some skill, a little luck, and implementing the industry’s best practices. Below are some recommendations for optimizing your online presence, building trust with your audience, and ultimately converting clicks into profit. 

Respond promptly:

Customers have expectations for quick responses, especially when it comes to complaints. Negative feedback must be addressed, especially in a public setting. Acknowledge the hurt feelings, tell the customer how much she is valued, and offer a solution. Then try to take it to a private message as quickly as possible and resolve it there. Be genuine and sincere. And whatever the feedback, always try to respond back to it, even if it is as simple as saying “thank you.”

Blessed are the brief:

The scarcest resource of our time is “time.” Twitter’s popularity lies in its brevity and 140-character limit. People no longer have the luxury (or the patience) of reading a long article. Consumers want brief, to-the-point, striking content. Pictures and engaging, snappy captions are best. Ideas for longer posts don’t belong in a Facebook status update. Keep them for a blog on the company’s website.

Maintain engagement:

When creating social media posts, give people something to talk about. Today’s social media user is looking to be a part of the conversation. We all want to feel included. Ask questions and post content consumers are interested in, related to the business. For example, a donut shop might post a poll asking customers about their favorite donut flavor. Or an accounting firm can upload a screenshot from a scary movie and write below, “Don’t be afraid this tax season. Come visit us at Acme CPA.” Engagement can be about news, the company’s industry, photos, info-graphics, promotions or questions. The options are endless.

Call-to-action:

Regularly posting on social media and engaging with customers on social media is a great place to start. But to really see success, companies should be providing users with information on the right action to take, based on your post. That could be as simple as asking them to share, retweet, or comment. Or maybe ask that they try a featured product, or directing them to the company website. Whatever it is, be sure include a call-to-action on social media posts. Let consumers use their network to expand the organic reach of social media. Give them a reason to mention the company brand and refer others to the business.

Respect intellectual property rights:

From a practical perspective, organizations should be mindful and vigilant that content being posted does not accidentally infringe on another person’s intellectual property rights. This could expose even the smallest mom-and-pop store to legal liability. Nevertheless, copyright laws allow for the “fair use” of copyrighted material without securing the owner’s permission. This type of exception allows anyone to use the copyrighted material of another for use such as criticism, comment, news reporting, teaching, scholarship, or research. However, the first factor used to determine whether the use of another’s copyright falls under this exception is whether the use is for commercial vs. non-profit educational purposes. Accordingly, businesses should be careful relying on the protection of fair use when using another’s copyright.

Automation:

Running a social media program can be incredibly time-consuming, but one way to save time is to automate parts of the process. Even small businesses and start-ups can pre-schedule social-media message and posts and re-share content at optimal times. There are several free and inexpensive programs available.

Behind-the-scenes insights build connection: 

A great benefit of social media is that it allows the audience to get real-time access as to what it’s like to be a part of the company. This type of intimacy helps boost loyalty, which is turn, boosts sales. Consider posting about office dress up days, major milestones, job postings, events, and fun, goofy comments made around the water cooler. 

Consistency is key:

Finally, social media is a social endeavor in and of itself. A company’s team should be involved in the conversations, but publicly it should speak with one voice. Limit the number of people with access to the social media platforms. And anytime someone with access leaves, immediately change the passwords.  Because while it’s great to give life to a brand on social media, once something is posted, it can never be truly deleted.

Posted on

The Evolution Of The Legal Model: Why Billable Hours No Longer Work

Billable Hours And Flat Fees

The Evolution of the Legal Model: Why Billable Hours No Longer Work

Over the past few years, several reports have proclaimed boldly that the billable hour is dead in the field of legal services. Has this billing method really become obsolete, why and is there a better alternative out there?

Reasons Why the Billable Hour is Becoming Obsolete

In order to be profitable, a law firm has to discover the best way to bill clients for its services. The billable hour has been setting the standard for some time, but a number of issues stem from the use of this methodology:

  • Charging clients by the hour often leads to highly inflated prices. A client will be charged, whether the entire block of time is used or not.
  • The billable hour will often lead to client animosity. The client will get charged whether they get a positive or a negative outcome out of the interaction. In addition, the billable hour endangers the positive relationships that is so essential for building trust and forming a partnership between a lawyer and a client.
  • A client will find it difficult to come up with a preliminary and accurate estimate about what they’re going to be charged. Not knowing how much legal services will cost can contribute to a lot of anxiety and uncertainty.
  • Billable hours can also result in a lot of inefficiency inside the law firm itself. Prolonging litigation and inefficient practices can often be prioritized for the purpose of charging clients more. As a result, the overall reputation of the law firm will suffer.

What is the Alternative?

According to the Report on the State of the Legal Market, power dynamics are shifting. Clients today have higher standards and more demands. They insist on getting value for the money spent on legal services. As a result, billable hours don’t really make a lot of sense in a dynamic that is slanted towards the client (and rightfully so!).

Another factor is also pushing legal companies to offer both quality and cost-efficiency. The competition is higher than ever before. According to the American Bar Association, the total national lawyer population has gone up from 574,910 practitioners in 1980 to 1,022,462 lawyers in 2000 and 1,335,963 attorneys in 2017. Most of these professionals (about 74 percent) end up in a private practice. If a client in need of legal assistance is dissatisfied with one service, they will easily find a quality alternative that is much more cost-efficient.

The switch away from billable hours is an obvious one but which billing method can deliver better, more sustainable results?

Flat fees have more or less risen to popularity in the legal world. Whether an attorney needs five or 10 hours of work to complete a task for a client, the fee will remain the same. This model results in predictability and it makes it easier for clients to plan the process in advance.

Depending on the field of practice, outcome-based payments could also make sense. An attorney will get paid when they help clients get a positive result. Needless to say, this model provides additional incentives for legal professionals to offer their clients the most adequate and tailored assistance every single time.