GDPR stands for General Data Protection Regulation (Regulation (EU) 2016/679) and at its most basic, it specifies how personal data should be lawfully processed (including how it’s collected, used, protected or interacted with in general). It’s intended to strengthen data protection for all people whose personal information fall within its scope of application, putting personal data control back into their hands.
The GDPR can apply where:
This scope effectively covers almost all companies and, therefore, means that the GDPR can apply to you whether your organization is based in the EU or not. As a matter of fact, this PwC survey showed that the GDPR is a top data protection priority for up to 92 percent of U.S. companies surveyed.
The GDPR becomes enforceable starting from May 2018.
*For example, an internet company may collect user information via their website and store it using a 3rd party cloud service. In this scenario, the internet company is the data controller and the organization running the cloud service is the data processor.*
Lawful basis for processing data
Under the GDPR data can only be processed if there’s at least one lawful basis for doing so.
The lawful bases are:
Organizations must get verifiable consent from users.
In regards to Consent for children, organizations are required to get verifiable consent from a parent or guardian unless the service being offered is a preventative or counseling service. Organizations must make reasonable efforts (using available technology) to verify that the person giving consent actually holds parental responsibility for the child.
In general, when getting consent for data processing, organizations may not use overly complicated or indecipherable terms. This includes legalese and unnecessary jargon. This indicates that terms and privacy policies should be laid out legibly (see ours here) using understandable language and clauses so that users are fully aware of what they’re consenting to and what the consequences of their consent are. Organizations must be transparent on the purpose of the data collection and consent must be “explicit and freely given”. This means that the mechanism for acquiring consent must be unambiguous and involve a clear “opt-in” action (the regulation specifically forbids pre-ticked boxes and similar “opt-out” mechanisms). The regulation also gives a specific right to withdraw consent; it must, therefore, be as easy to withdraw consent as it is to give it.
Because consent under the GDPR is such an important issue, it’s mandatory that you keep clear records and that you’re able to demonstrate that the user has given consent; should problems arise, the burden of proof lies with the data controller, so keeping accurate records is vital. The records should include:
For an example of compliant record-keeping vs non-compliant record-keeping, see the following
|Non-compliant Record Keeping||Compliant Record Keeping|
|Simply keeping a spreadsheet with customer names and whether or not consent was provided||Ensuring that you keep a copy of the customer’s signed and dated form which shows the action taken by the customer to provide their consent to the specific processing.|
*A note on consent: it is not the ONLY basis that an organization can choose to process user data; it is only one of the “Lawful Bases”, therefore companies can apply other lawful (within the scope of GDPR) bases for a data processing activity. With that said, there will always be data processing activities where consent is the only or best option.
Another EU law worth mentioning here is the ePrivacy Directive (also known as the Cookie Law). This law still applies as it has not been repealed by the GDPR. In future, the ePrivacy Directive will be replaced by the ePrivacy Regulation and as such, will work alongside the GDPR; the upcoming regulation is expected to still uphold the same values as the directive. The Cookie Law requires users’ informed consent before storing cookies on a user’s device and tracking them. You can read more about the Cookie Law here.
Cross-border data transfers
The GDPR permits data transfers of EU resident data outside of the European Economic Area (EEA) only when in compliance with set conditions. Under these conditions, the country or region the data is being transferred to must have an “adequate” level of personal data protection by EU standards, or where not considered adequate, transfers may still be allowed under the use of standard contractual clauses (SCCs) or binding corporate rules (BCRs).
In regards to data transfer to the US, all transfers either require that the data processor adhere to the EU-US Privacy Shield or that informed consent is received from the user (in which case the consent must be given on the basis of sufficiently precise information, including information on the lack of protection in the third country).
The Privacy Shield is a binding legal framework which was put in place to help protect EU users rights while allowing US companies to handle EU users data without prior consent. You can read more about the EU-US Privacy Shield here.
Privacy by design & default
Data protection should be included from the onset of design and development of the business processes and infrastructure. This means that privacy settings should be set to ‘high’ by default and measures put into place to make sure that the processing life cycle of the data falls within the GDPR requirements.
The data controller must notify the Supervisory Authority within 72 hours of becoming aware of the breach. If the processing is carried out by a processor on behalf of the controller, the data processor will have to notify the controller immediately after becoming aware of it. Under this rule, users must also be informed of the breach (within the same time frame) unless the data breached was protected by encryption (data rendered unreadable for the intruder), or, in general, the breach is unlikely to result in a risk to individuals’ rights and freedoms. In any case, the data controller should keep records of the breaches occurred in order to be able to demonstrate to the supervising authority compliance with these provisions.
Data Protection Officers
The Data Protection Officer (DPO) is a person with expert knowledge of data protection law whose role includes assisting the controller or processor in monitoring internal compliance with GDPR regulations and overseeing data protection strategy and implementation. The DPO should also be proficient in IT process management, data security and other critical issues surrounding the processing of personal and sensitive data.
GDPR requires designation of a DPO specifically in the following cases:
The appointment of a DPO is therefore not just based on the actual number of employees but on the essence of the data processing activity. If your organization falls outside of these categories, then it is not mandatory that you appoint a DPO.
Maintaining records of processing activities
The GDPR requires that both data controllers and data processors keep and maintain up-to-date records of the particular data processing activities they are carrying out.
Generally, this requirement only applies to organizations that have more than 250 employees, however, it can still apply to organizations with fewer than 250 employees if their processing activities:
The records of processing activities must be in writing. While both paper and electronic forms are acceptable, it is best practice to use an electronic method of record-keeping so as to facilitate easy amendments.
Records of the data controller should include:
Records of the data processor should include:
In regards to record keeping, you may find it useful to do regular information audits on what data your organization holds. Not only does this practice help you to readily meet your record-keeping obligations, but it also makes it easier for you to review and optimize your data processing procedures.
Data Protection Impact Assessment (DPIA)
A data protection impact assessment (DPIA) is a process used to help organizations comply effectively with the GDPR and ensure that the principles of accountability, privacy by design and privacy by default are put in practice by the organization. The DPIA process should be recorded in writing. While publishing the DPIA is not a legal requirement of the GDPR, it is suggested that data controllers consider publishing all or part of their DPIA as a gesture of transparency and accountability, especially in cases where members of the public are affected (for example, where a public authority carries out the DPIA).
An effective DPIA is useful in meeting the requirement of “Privacy by design” as it makes it possible for organizations to find and fix issues at an early stage, thus mitigating both data security risks for users, and the risk of fines, sanctions and reputation damage that might otherwise occur to the organization. Generally speaking, the DPIA is only mandatory in cases where data processing activity is likely to result in a high risk for users (this is particularly applicable when introducing new processing technology). However, if unsure as to whether or not your processing activity falls within what is considered “high risk”, it is recommended that a DPIA be carried out nonetheless as it is a useful tool for ensuring that the law is complied with.
“High risk” data processing activities include:
DPIAs can also be required in other circumstances (based on a by case evaluation) including but not limited to processing data concerning vulnerable persons (e.g. children, the elderly), data transfer across borders outside the EU and data that is being used in profiling (e.g. credit scores). You can read more about the criteria here [PDF].
The DPIA should include:
The legal consequences for non-compliance can include fines up to EUR 20 million (€20m) or 4% of the annual worldwide turnover (whichever is greater), but perhaps equally as concerning are the other potential sanctions that may be implemented against organizations found to be in violation. These sanctions include official reprimands (for first-time violations), periodic data protection audits and liability damages.
The GDPR gives users the explicit right to file a complaint with a supervisory authority if they feel that any processing of their personal data was done in violation of GDPR regulations. So for example, if a report is made to the authority about an instance of regulatory violation, the authority may choose to perform an audit of the organization’s data processing operations. If it’s found that some processing activity was done unlawfully, not only is a fine imposed, but the organization may be forbidden from making further use of both the data of the inquiry and data acquired using similar mechanisms. This means that if the improper use was in regards to email address collection, the organization risks being barred from using the entire associated email list.
The GDPR also gives users the right to compensation for any damages resulting from an organization’s non-compliance with regulations, hereby leaving violators open to potential litigation.
In terms of compliance, one of the first logical steps is making sure that your documents are up to regulation. At iubenda, we take a comprehensive approach to data law compliance. We build solutions with the strictest regulations in mind, giving you full options to customize as needed. This way, we’ll assist you with meeting your legal obligations, reduce your risk of litigation and protect your customers —building trust and credibility.
Here’s what you need to get started with full compliance:
Please note that from time to time, laws are amended and updated. It’s therefore important to ensure that your policies meet the latest requirements. For this reason, we use embedding options and NOT copy & paste. With this method, you can rest assured that your policy is up to date and being maintained remotely by our legal team.