One of the most important influences for business owners is governmental changes in legislation. And a piece of new legislation is about to be put into effect in the European Union, or EU.
This legislation is the General Data Protection Regulation, also known as GDPR, and it comes into effect on 25 May 2018. GDPR was originally proposed in the year 2014, and up until April 2016 Parliament had worked on creating a piece comprehensive data protection legislation.
Basically, if you do business in or with the EU, you need some clear, concise information about how this law works. Otherwise, if your business is in non-compliance, heavy fines await you.
The aim of this blog post is to break down, in simple terms, what exactly each of those requirements are and some tips for how to become compliant with them before the deadline.
As always, consult with your lawyer if you want specifics on how the new regulations are likely to affect you. Also note that this post does not constitute legal advice but simply serves as a guide to get your feet wet about all the new changes with GDPR.
But first, a brief history. According to the dedicated website, GDPR is designed to defend EU citizens against any potential online threats. The online sphere has changed since 1995, when the Data Protection Directive 95/46/EC was enacted. Data privacy as a whole still remains the focus. However, there are multiple changes to the regulations associated with how the EU protects citizens’ data.
In the past, there was a lot of legwork that went with data protection. Local Departments of Political Affairs, or DPOs, needed to approve any data processing done by data controllers. This consisted of sending new notifications or registrations to every DPO. If you own a multinational company, you know how much of a nightmare that was if you did business in the EU. Most Member States had varying requirements for notification.
However, GDPR is changing much of that. Many of the sweeping changes are listed below.
A Larger Range of Influence
If you run a business outside of the Union, get ready for some changes. The enforceable range of the GDPR is one of the larger changes to come from the law.
GDPR affects all companies that process the personal data of citizens in the EU, wherever that company resides. Before GDPR came into effect, jurisdiction of data protection was not clear and often was situational. Now, however, any personal data processing by controllers and processers residing in the Union is subject to GDPR. It doesn’t matter whether or not those individuals or companies are also in the Union. Operations that are outside of the Union have technically fewer restrictions, but not by much.
Any businesses offering services or goods (whether or not they require payment) in the EU is subject to the GDPR. Businesses that engage in behaviour monitoring in the Union are subject to the GDPR.
A representative in the EU is also required for businesses who process EU citizens’ data.
You know those really long Terms of Service that appear before using a digital product? Under GDPR, those are looking at some changes. Although longer Terms of Service are likely to always exist, what goes into the Terms of Service and when they’re seen is now more regulated by GDPR.
Citizens of the EU now must fully understand what they agree to. In addition, the reason why data processing is required now must be present in the consent given.
Additionally, users must now affirmatively give consent, rather than passively doing so. To give an example, when presented with a check box on a website, the user must tick the box themselves, affirming their consent. The box cannot be pre-checked for the user. That would be an example of passive consent.
The subject giving consent must be discernible from other matters in legal documents. The client’s consent must be provided in a form that is both intelligible and accessible.
An important exception to note is that there are six lawful reasons to hold personal data which are as good as a user’s consent. These are contracts, legitimate interests, vital interests, public tasks, legal obligations and member state derogations (which includes investigative journalism, negotiations, and other matters of that nature).
Finally, the subject has to be able to withdraw consent as easily as they gave it. A good piece of advice is to dedicate a process to this; for example, you could set up a web page on your web site that explains the process to the user, asks them if they are sure if they wish to have their data deleted, and then submits the request that the user’s data needs to be erased.
If you are not compliant, the highest fine that can be levied against you under GDPR is 4% of your annual global turnover. Alternatively, depending which amount is higher, the government may fine you for up to €20 million.
Now, before you start hyperventilating, let’s be clear. In all likelihood, a lower fine should apply to you unless you break a very important rule. For example, they could fine you for not having valid consent as defined by GDPR before processing personal data.
Designed for Privacy
Though the EU has always held privacy as an essential right, the GDPR ensures that organisations and companies have safeguards in place to protect privacy. Under GDPR, controllers need to design data systems with data protection in mind. This is instead of controllers tacking it on as an afterthought.
Also, controllers can only hold and process the data that is necessary for processing. Identifying data, such as race, religion, political affiliation, and ethnicity, is to be collected as little as possible. Companies that process more data than is needed are opening themselves up to some pointed questions from the Information Commissioner’s Office.
Data Protection Officers
The previous system of approval for data-processing activities was inefficient to say the least. Now, under GDPR, companies hire or appoint data protection officers, or DPOs, to keep records internally. Though they can be employees of the company, it is not recommended, because that could result in a conflict of interest, more of which is covered below.
DPO appointment is mandatory only for controllers and processors who regularly and systematically monitor data subjects “on a large scale“, as the GDPR says in Article 37 1b. DPO appointment is also mandatory for those who manage data related to criminal convictions or offences.
Here is a list of DPO responsibilities.
-The DPO must be an expert on data protection law.
-The local authorities in the province of your company needs to receive the officer’s contact information, as stated in the GDPR in Article 37 7.
The officer needs relevant resources from the data processors and controllers to do their job and keep up-to-date on updates in their field.
-The DPO must report to the highest manager of your company and no one else.
– DPOs cannot perform tasks that cause a conflict of interest. For example, if the DPO is a controller processing data, he or she may be tempted to steal or misuse the data being parsed. Alternatively, if the DPO is a subordinate of another manager, that manager could use the subordinate’s position as a DPO to manipulate the data.
Therefore, cloud storage, cloud servers, and cloud applications are not out of GDPR’s consideration and enforcement. These cloud applications include services such as DropBox and WeTransfer. If you use the cloud, here are a few suggestions to become GDPR-compliant.
- Ensure that any cloud service that your company uses has airtight security. If an application does not meet the bar, either migrate to a similar application with better security or implement security measures for when a security breach happens.
- Create a data-processing agreement with the companies that you decide to work with. The agreement should ensure somewhere that both companies are GDPR-compliant, or that they both work to become so as soon as possible.
- Talk with the companies that you have created the agreements with and make certain that they only collect and process the bare minimum of personal data. They should also limit “revealing” data, which includes information such as race, religion, ethnicity, or political affiliation.
- Finally, look over the Terms of Service of the application and check to see if a user’s data is deleted upon the deletion of the application. You do not want the information that you have collected from users hanging around cyberspace. The faster that they delete the information that you have stored, the better it is for you and your company.
- Ensure any processors you use who have servers based in the US have valid certificates under the EU-US Privacy Shield agreement. (You can find this out by checking this website https://www.privacyshield.gov/list).
The primary rules for which the government could fine you for non-compliance are below. Keep in mind that the rules here apply to controllers and processors slightly differently. Data processors act under the authority of your company’s instructions; data controllers, act on their own, in compliance with the GDPR (so more than likely, you!). These new rules are in accord with the new rights that data subjects have, including breach notification, right to access, right to be forgotten, and data portability.
Rule: Breach Notification
From time to time, you hear about giant data leaks in the news. These leaks are almost always followed by a rush from the affected to change their passwords and secure their accounts. Though leaks could always happen, your company’s potential response is changing thanks to GDPR.
Your company must notify customers of any breach within 72-hours after becoming aware of it. Your company must alert the Information Commissioner’s Office about the breach as well. Your company’s data processors must notify the affected customers. You must alert them without any extraneous delays on your company’s part after you become aware of the issue.
Rule: The Right to Access and the Right to Be Forgotten
These two rights are a big part of the expansion of data subject rights. It’s appropriate that you hear about them first.
- For the first right (the right to access) companies must be able to provide information about personal data, including if it is being processed, why, and where. Data controllers must also have an electronic, free copy of any personal data.
- The second right (the right to be forgotten) can also be called data erasure. This right allows data subjects to contact data controllers to do three things: erase his or her personal data, prevent any further spread of that data, or potentially prevent third parties from processing that data.
A withdrawal of consent from the subject or an outdated purpose for processing are both valid reasons for a subject to request erasure. However, there is an exception to this. Data controllers are required by this right to consider and compare the person’s rights to any interest from the public in the data’s availability before commencing erasure.
Rule: The Right of Data Portability
There is a brief, yet important, right outlined by GDPR that bears mentioning. It is the right for subjects to receive personal data related to them that they previously gave in a common, machine-readable format. They then possess the right to send the data to a different controller.
Putting It into Practice
Although there have been some tips included within these past few points, all of this still probably seems pretty complicated. A couple of possible real-world examples may help.
Say (like us) you run a digital marketing business. Your website also has a newsletter that helps customers stay on top of recent events. However, your newsletter isn’t quite off of the ground, so you want to boost it. You create a check box that pops up asking if users want to subscribe. If you do this, you cannot pre-check the boxes. Doing so would violate the GDPR. The users must check the boxes themselves.
The key here is that users must now choose to opt-in, rather than choosing to opt-out when relying on consent. Alternatively, you could potentially rely on one of the aforementioned alternatives to consent, which, as a reminder, are contracts, legitimate interests, vital interests, public tasks, legal obligations and member state derogations.
Speak with your lawyer about conducting a Legitimate Interest Assessment to find out if you can hold that personal data based on your legitimate interest in a given data subject.
For another example, say that you are the owner of a prominent prison in the EU. An ex-convict contacts one of your data controllers, requesting that his or her data be erased. What should you do? Well, at first you may think that you are obliged to submit to the request. However, the GDPR does allow data controllers to decide to honor a request like that only if it is good for the public. So, in this scenario, keeping the ex-convict’s data is probably in the public’s best interest. Therefore, you could safely deny the request.
Let It Settle
Oh, there is one last thing that wasn’t mentioned yet. Do not panic. If you start to panic, you are more likely to make mistakes. There are eighty-eight pages worth of material to go through and apply, and the EU’s courts should start to iron out any discrepancies that exist within the document.
Ultimately, education is key and if you continue to stay informed, current, and lawful regarding GDPR, you should emerge unscathed by all the new changes. One concrete way that you can prepare is by training all of your employees in accord with the newly revised Privacy Standard. If you can do that, you are well on your way to getting through this change.