By Teodor Teofilov
The European Union’s (EU) new General Data Protection Regulation (GDPR) is complicated and has vast consequences, affecting any company that collects the personal data of any citizen within the blocs’ borders. It was passed on April 14, 2016, and gave companies two years to prepare for its eventual enactment, which happened on May 25 of this year.
Here are six things that businesses need to know about the GDPR.
1. The GDPR can apply to everyone
Some people and companies might think that they can get away with non-compliance because they aren’t physically located within the EU. Isn’t this an EU legislation that affects and covers EU citizens? Well, no. Companies that hold the belief that they won’t have to comply because they aren’t physically located in Europe will be the ones that find themselves unexpectedly surprised by fines that could destroy their business.
The EU’s sweeping data protection regulation applies to all companies worldwide that process the personal data of EU citizens. Because of this, the physical location of a business doesn’t matter. If your company or website allows and has EU visitors that can create accounts or if they purchase merchandise from you, and your business ships products and processes payments internationally, you’re covered by the GDPR and have to make sure you comply.
2. A wider definition of personal data
Article 4(1) of the GDPR expands the already broad definition of what personal data is. It states that “personal data” means any information about an identified or identifiable natural person, which is someone who can be directly or indirectly identified.
The legislation further clarifies what is considered personal data through examples. Personal data can be a name, identification number, location data, physical address, email address, IP address, radio frequency identification tag, photograph, video, voice recording, biometric data (eye retina, fingerprint, etc.) or an online identifier of one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person.
Although the definition is broadened and specific examples of what personal data is there are a few things that keep this new definition from being cut and dry. According to Recital 30, there are some online identifiers provided by devices, apps, tools and protocols that leave traces, which in combination with other unique identifiers and information can be used to identify natural persons. This increases the scope of personal data to address the general lack of transparency of data from devices and Internet of Things.
Depending on context, a single element might not be personal data but when taken into consideration with other elements can identify a data subject. Personal data under the GDPR isn’t just knowing the list of elements, but also considering what you can do with them when you use them together.
Another thing is that personal data isn’t always personal data. For example, if you share a name with a lot of people, that on its own isn’t personal data. However, if used together with other aspects, such as employment, phone number or email, it is likely to identify a person. As such the combination of general data and specific data can become personal data under the GDPR.
The last thing to mention is that the Recital 26 of the GDPR makes it clear that anonymous data isn’t subject to the requirements of the law.
3. Obtaining valid consent
The ever-present tick-box on the internet no longer constitutes consent in the eyes of the GDPR, and neither does silence. The GDPR requires businesses that handle personal data to receive the consent of their customers before processing or storing the data. After it was enacted, on May 25, the GDPR necessitates for the consent to be laid out in a plain and straightforward language. It also needs to explain clearly how the personal data will be used and for how long it will be stored and used.
Silence and tick-boxes no longer work as under the GDPR, companies need to be able to prove that they received approval from their users to process and store their information. The consent needs to be consistently accurate with the most up-to-date information on the customer and the purpose for which said personal data is being used. If there are any changes on either of these, a new request for consent needs to be done.
The last important thing to know about consent is that now, at any given time, the customer of a business has the right to withdraw their consent. This requires companies to respond and act on the request in a reasonable timeframe. Article 17 sets out the “Right to Erasure”, also known as the right to be forgotten.
Individuals can request companies that store their personal data to erase it and the companies will have to erase the customer’s information in the following circumstances: the personal data is no longer necessary in relation to the original purpose it was collected; the individual withdraws their consent; you are relying on legitimate interests as your basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing; you are processing the personal data for direct marketing purposes and the individual objects to that processing; the personal data has been unlawfully processed; the company has to comply with a legal obligation; and the business has processed the personal data to offer information society services to a child.
4. Data Protection Officers
A data protection officer (DPO) is an enterprise security leadership role that is required by the GDPR for any organization that processes or stores large amounts of personal data. The DPO must be “appointed for all public authorities, and where the core activities of the controller or the processor involve ‘regular and systematic monitoring of data subjects on a large scale’ or where the entity conducts large-scale processing of ‘special categories of personal data,” like that which details race, ethnicity or religious beliefs. Public authorities and/or companies larger than 10 to 15 employees that process personal data require the appointment of a DPO.
DPO’s are responsible for overseeing data protection strategy and implementation to ensure compliance with GDPR requirements. Article 37 makes the DPO a mandatory role for all companies that collect or process EU citizens’ personal data. DPO’s are responsible for the education of the company and its employees on the important compliance requirements, training staff that is involved in the processing of data and conducting regular security audits. They also serve as the bridge between the company and any Supervisory Authority that oversees activities that are related to data.
The responsibilities of DPOs are outlined in Article 39 and include the previously mentioned and the following: monitoring performance and providing advice on the impact of data protection; maintaining comprehensive records of all data processing activities conducted by the company, including the purpose of all processing activities, which must be made public on request; and interfacing with data subjects to inform them about how their data is being used, their rights to have their personal data erased and what measures the company has put in place to protect their personal information.
According to a November 2016 study by the International Association of Privacy Professionals (IAPP), the requirement means that more than 28,000 would be needed in the EU, and worldwide there would be at least 75,000 DPO positions created.
5. Breaches and DPIAs
If a company stores personal data in permanent storage, it will have to perform a data protection impact assessment (DPIA) before each project that uses personal data of EU nationals. A DPIA is a mandatory requirement according to Article 35 of the GDPR. It is an audit of the organization’s processes and procedures that measure how they might affect or compromise the privacy of individuals whose data is stored, collected or processed.
A DPIA ensures compliance with applicable legal, regulatory and policy requirements about privacy. It determines the risks and effects and evaluates protections and alternative processes to mitigate the potential privacy risks.
Article 35 outlines some situations in which a DPIA is mandatory. One such case is when a company is processing a large amount of special categories of data or any personal data that might be about criminal convictions. If the processing is based on automated decision making, including profiling, a DPIA is necessary. The Article also outlines that when there is a systematic monitoring of publicly accessible area on a large scale, a DPIA is required.
A DPIA isn’t needed if the processing is not likely to result in high risks to the freedoms and rights of individuals or if the processing has already been authorized for similar operations. It is the same if the company has a legal basis in EU or Member State law.
The GDPR also established rules on when a data breach occurs under Article 33. The company that holds or processes EU citizen’s data will have to report a data breach no later than 72 hours after becoming aware of it to the Supervisory Authority (SA), whose jurisdiction it is. The exception is if the breach is unlikely to result in a risk to the “rights and freedoms of natural persons.” If the notification of the SA is not made within the 72 hour time period, it will have to be accompanied by the reasons for the delay.
The notification to the SA needs to include a description of the nature of the personal data breach including where possible, the categories and an approximate number of individuals and personal data affected. It should also provide the name and contact details of the DPO or other contact information where more information can be obtained by the SA. The notification should also describe the likely consequences of the personal data breach and the measures taken or proposed to be taken to address the data breach, including measures to mitigate possible adverse effects. A company will have to document any personal data breaches, including the facts relating to the breach, its effects and the remedial action taken.
If there is a big risk to the individuals whose data has been breached, then they too must be notified. Transparency is at the heart of the GDPR, so companies will have to maintain a clear audit trail and justify any security decisions made about the data they process or store.
6. Finally, non-compliance penalties
Companies can be fined up to 4 percent of annual global turnover or €20 million, whichever is higher, in the event that they don’t comply with the GDPR. This is the maximum penalty that can be imposed for the most serious infringements of the new data protection regulation, such as not having sufficient customer consent to process personal data or violating the core of privacy by design concepts.
On top of the aforementioned maximum fine in the GDPR, there is a second level – €10 million or 2 percent of global turnover. These penalties are for such violations as a company not having its records in order, not notifying SA and data subject about a breach or not conducting an impact assessment. It is important to note that these rules apply to both controllers, the ones that determine the purposes, conditions, and means of the processing of personal data, and processors, the ones that process the personal data on behalf of the controller – meaning “clouds” are not exempt from GDPR enforcement.