On May 25th of 2018, the General Data Protection Regulation (GDPR) goes into effect. This is a law passed in 2016 by the member states of the European Union that requires compliance with regard to how organizations store and process the personal data of individual residents of the EU. Now maybe you are thinking that this regulation does not apply to your organization because it is not based in the EU. Don’t stop reading just yet. This regulation applies to any organization that offers goods or services to EU residents and/or processes the personal information of EU residents, regardless of whether the organization is based in the EU or not. And the law does not apply only to the huge multinational companies of the world. It applies to small businesses as well. For example, consider an e-commerce business that sells Tshirts online, and it sells to people in the EU. Or perhaps an email marketing company that sends out periodic emails to EU citizens. Or even a message board website that allows users to create profiles and gathers personal information during the registration process. The GDPR would apply to all these businesses, no matter how big or small. This regulation is the biggest change to the protection of individual personal data in over twenty years and is far reaching in its scope. It is important to understand if and how it applies to your organization.
What Type Of Data Is Protected?
The GDPR is meant to protect the personal data and fundamental rights and freedoms of natural persons in the EU. It does this by requiring organizations to implement strict policies, procedures and technical controls when processing the personal data of EU citizens. The regulation defines the term “personal data” very broadly. According to the regulation, personal data means “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Examples of personal data would include name, email address, IP address, physical address, photos, gender, health information and national identification number.
The term processing is also defined very broadly. According to the GDPR, processing means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Examples of processing would including simple storage of the data, sending out marketing emails, collecting personal data when a visitor places and order, processing a credit card transaction, and any other type of storage, processing or manipulation of personal data that occurs during the normal course of business.
Finally, the regulation applies to both the automated processing of data as well as the processing of data by non-automated means. In short, the regulation applies to both digital and non-digital forms of data. Examples of non-digital forms of data would include hard copies of contracts, health records, marketing information and any other type of medium containing the personal data of EU citizens.
Which Organizations Are Affected?
According to Article 3 of the GDPR, the regulation “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” Furthermore, it applies “to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: 1) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or 2) the monitoring of their behaviour as far as their behaviour takes place within the Union.” Finally, the regulation states that it “applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.”
So what does all this mean? First, if your organization collects personal data or behavioral information from someone residing in an EU country when the data was collected, your company is subject to the requirements of the GDPR, regardless of whether or not your organization is based in the EU, or even has a presence in the EU. Second, the law does not require that a financial transaction has to to take place for the scope of the law to kick in. If an organization simply collects the personal data of EU persons, then the requirements of the GDPR apply to the organization, even if the organization is based outside the EU. In sum, if your organization sells or markets goods or services to EU countries, or if your organization collects the personal data of people living in the EU, then the GDPR applies to your organization regardless of whether the organization has a presence in the EU or not.
What AreThe Requirements?
The overarching goal of the GDPR is the protection of the personal data of EU citizens. As such, the GDPR requires that organizations take measures to ensure that they are implementing policies and controls that will reduce the risk of potential data breaches and will also provide transparency to the data subjects. Below is a list of the most prominent provisions of the GDPR:
- Lawful Basis for Processing – Before an organization can begin processing the personal data of EU citizens, it must first determine if it has a lawful basis to do so. The GDPR outlines six reasons for lawfully processing personal data such as legal obligations, contracts or vital interests. The most common lawful basis that most businesses will rely on is consent from the data subject. The manner for obtaining consent must be clear, concise and transparent. It also must require subjects to explicitly opt-in, not opt-in by default. It is extremely important for each organization to determine the basis on which it may lawfully process the personal data of the subjects.
- Privacy and Security – Organizations that collect the personal data of EU citizens may only store and process data when it’s absolutely necessary. Data protection and privacy must be integrated into an organizations data processing activities (privacy by design). Furthermore, organizations must provide protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical and/or organizational measures are used including a method to anonymize data so that it cannot be tied back to a specific individual (e.g. data encryption). Organizations must also perform a data protection impact assessment (DPIA) for certain types of processing that is likely to result in a high risk to individuals’ interests. Finally, depending on the scale of personal information an organization processes, a data protection officer (DPO) must be assigned within the organization to ensure compliance with the GDPR.
- Individual Rights – Data subjects have a number of individual rights according to the GDPR. Mostly importantly, individuals have the right to be informed about the collection and use of their personal data. This includes informing them of the reason for processing their data, the retention policy for storing the data, and who it will be shared with. Organizations must provide an individual residing in the EU with access to the personal data gathered about them upon request. Data subjects have the right to request that their data be erased (known as the “right to be forgotten”). Organizations have one month to respond to such requests. Finally, organizations must provide a way for individuals to transmit or move data collected on them from one data collector or data processor to another.
- Breach Notification – The GDPR requires organizations to report data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, the organization must also inform those individuals of the breach “without undue delay”. As a result of the requirement, organizations will need to ensure that they have a robust breach detection, investigation and internal reporting procedure in place. Finally, organizations must keep a record of all data breaches regardless of whether or not notification of any particular breach is required.
- Minors – Children are provided additional protections under the GDPR and organizations that collect the personal data of minors must take special care when doing so. When offering an online service directly to a child, only children aged 13 or over are able provide their own consent. For children under age 13, an organization must also obtain the consent the child’s parent or legal guardian. Children merit specific protection when an organization uses their personal data for marketing purposes or creating personality or user profiles. Organizations must write clear privacy notices for children so that they are able to understand what will happen to their personal data, and what rights they have.
What Are the Penalties for Noncompliance?
The fines associated with noncompliance with the GDPR can be quite substantial. The regulation has a two tired system for determining fines based on the severity of the infraction(s). Before assessing fines the supervisory authority may take into account the nature, gravity and duration of the infringement. They may also determine if an organization was willfully negligent. Cooperation with the supervisory authority may also be taken into account when assessing fines. Below are the guidelines stated in the GDPR with regards to the assessment of financial penalties for noncompliance:
- Infringements that may be subject to administrative fines of up to 10,000.000 EUR or 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher:
- Violations of the provisions regarding data security obligations and privacy-by-default measures that need to be taken to protect data from unauthorized access
- Not having an assigned DPO or the DPO not fulfilling her obligations
- Violations of the DPIA requirement
- Violations of the requirement to conclude a processing agreement with all data processors that are engaged by an organization
- Violations of the requirement to keep a record of the processing activities carried out
- Infringements that may be subject to administrative fines of up to 20,000,000 EUR or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher:
- Violations of the basic principles for processing personal data (e.g. lawful basis for processing)
- Violations of provisions regarding a data subject’s rights such as the right to erasure, access to personal data and the right to receive information regarding the processing of personal data
- Violation of the provisions regarding the transfer of personal data to third countries
- Noncompliance with an order by a supervisory authority
In addition to the fines outlined above, each EU member state shall also have the right to implement its own fines with regards to noncompliance. Moreover, they may also implement criminal penalties for violations.
How is the GDPR Enforced?
For those organizations that are based in the EU or who have a legal presence in the EU (e.g. a multinational corporation with an office in an EU member state), the GDPR will be enforced directly by the EU member states’ authorities and their court systems. For organizations that are not based in the EU and also do not have a physical presence in the EU, the GDPR requires them to appoint a “representative” who is located in the EU if the organization is actively doing business in the EU. Presumably this representative will allow the EU to enforce the regulation on such entities. Finally, the GDPR can be enforced through international law. Written into GDPR itself is a clause stating that any action against a company from outside the EU must be issued in accordance with international law. There has been long term and increasing enforcement cooperation between the United States and EU data protection authorities. For example, there is the EU-U.S. Privacy Shield data sharing agreement which puts systems in place for the EU to issue complaints and fines against U.S. companies. In sum, there are a variety of mechanisms in place for the EU to enforce the GDPR against organizations based outside the EU.
What to Do?
If you are an organization that falls under the scope of the GDPR, then it is in your best interest to comply with the regulation, even if you are not based in the EU and do not have a physical presence there. If you are already processing the data of EU citizens, or plan to in the future, making sure your organization is compliant is good business. Putting the fines aside, residents of the EU will want to make sure that any company they are doing business with is in compliance. Moreover, the privacy and security policies and controls required will help reduce the risk to your organization. There are also potential cost savings by reducing ROT data (redundant, outdated or trivial) in terms of storage and backup costs. Being compliant may also give you a business advantage over competitors who are not. One of the things that will likely come out of this regulation is a GDPR certification. Businesses who obtain such a certification may be able to display a certification seal on their website and other marketing material which will provide confidence to potential customers. Finally, expect your business partners to start requiring GDPR compliance even if you are not directly impacted. GDPR compliance is here to stay. Given the current events around online privacy in the United States (e.g. Facebook data disclosure), it is not inconceivable that the U.S. could also pass a similar regulation to protect individual privacy. Embracing the GDPR will only help your organization in the long run.