But, what is it really? And more importantly, why should you care?
The acronym GDPR stands for General Data Protection Regulation (Regulation (EU) 2016/679) and at its most basic, it specifies how user data should be collected, used, protected or interacted with in general. The intent here is to bolster and centralize data protection within the EU, putting personal data control back into the hands of all people whose personal data fall within its scope.
The GDPR is the biggest change to data protection in the region in 20 years and replaces the Data Protection Directive of 1995. The regulation was adopted in April 2016, and following a two-year transitionary period, it will be fully enforceable by May 25th, 2018 (meaning that you’re are expected to be GDPR compliant by that date!).
The short answer is most likely, yes. The GDPR applies to all government agencies, companies and organizations (including non-profits) and individuals that are based in EU; or access the data of people in the EU in anyway; or offer goods and/or services to people in the EU (even if the offer is for free).
This scope effectively covers almost all companies and, therefore, means that the GDPR can apply to you whether you’re located in the EU or not.
As a matter of fact, a recent PwC survey showed that GDPR is a top data protection priority for up to 92 percent of U.S. companies surveyed.
Personal data within the context of the GDPR refers to any data that relates to an identified or identifiable living person. This includes pieces of information that, when collected together, can lead to the identification of a person. This applies even to data that has been pseudonymized or encrypted as long as the encryption/ anonymization is reversible.
In terms of meeting data protection obligations under the regulation, it means that decryption keys will need to be kept separately from the pseudonymised data.
Examples of personal data include (but are not limited to) basic identity data such as names, health, genetic & biometric data, web data such as IP addresses, political opinions, and sexual orientation data.
Examples of non-personal data include company registration numbers, generic company email addresses such as email@example.com, and anonymized data.
Yes. The legal ramifications for non-compliancy include fines, sanctions (inclusive of audits) and potential litigation.
So it’s pretty important to be ready.
Special definitions used below:
*The term ‘user’ here means an individual whose personal data is processed by a controller or processor.
*The term ‘data controller‘ means any person or legal entity involved in determining the purpose and ways of processing the personal data.
*The term ‘data processor‘ means any person or legal entity involved in processing personal data on behalf of the controller.
(For example, an internet company may collect user information via their website and store it using a 3rd party cloud service. In this scenario, the internet company is the data controller and the organization running the cloud service is the data processor.)
Lawful basis for processing data (Article 6)
Under the GDPR data can only be processed if there’s at least one lawful reason for doing so.
The Lawful bases are:
Consent (Articles 7&8):
Consent obtained from users must be explicit and verifiable (opt-in). In getting consent for data use, you may not use overly complicated or indecipherable terms/ wording —this includes legalese and unnecessary jargon. This means that privacy notices must be laid out legibly (see ours here) using understandable language and clauses so that users are clear on what they’re consenting to. Consent for children under 13 must be given by a legal guardian using verification measures (e.g, control questions) and in general, it must be as easy for users to withdraw consent as it is for them to give it.
Because consent is such an important issue under the GDPR, it is mandatory that you keep detailed records of consent. The records should contain details of when and how consent was obtained and exactly what the user was told at the time.
Under the GDPR users have specific rights that must be honored. These include:
Privacy by design and default (Article 25):
Data protection should be included from the onset of design and development of the business processes and infrastructure. This means that privacy settings should be set to ‘high’ by default and measures put into place to make sure that the processing life cycle of the data falls within the GDPR requirements.
Maintain records of processing activities (Article 30).
In several specific cases, the GDPR may require that up-to-date records of the data processing activities being carried out are kept and maintained. These cases include situations where the processing can result in a risk to the rights and freedoms of individuals and where special categories of data are being processed.
Breach Notification (Articles 33&34):
If there is a data breach, the data processor will have to notify the controller immediately after becoming aware. The data controller must then notify the Supervisory Authority within 72 hours of becoming aware of the breach. Under this rule, users must also be informed of the breach (within the same time frame) unless the data breached was anonymized (for example via encryption).
Data Protection Impact Assessment (Article 35):
A data protection impact assessment (DPIA) is a process used to help organizations comply effectively with the GDPR and ensure that the principles of accountability, privacy by design and privacy by default are put in practice by the organization.
Generally speaking, the DPIA is only mandatory in cases where data processing activity is likely to result in a high risk for users (this is particularly applicable when introducing new processing technology). However, if unsure as to whether or not your processing activity falls within what is considered “high risk”, it is recommended that a DPIA be carried out nonetheless as it is a useful tool for ensuring that the law is complied with.
Appointment of Data Protection Officers (Article 37):
In public authorities (except courts/judicial authorities), organizations that systematically process personal data on a large-scale and in cases where special categories of data are being processed, a professional with expert knowledge of data protection law and practices must be appointed as Data Protection Officer (DPO). This officer should also be proficient in IT process management, data security and other critical issues surrounding the processing of personal and sensitive data.
Cross-border data transfers (Articles 44-50):
The GDPR permits data transfers of EU resident data outside of the European Economic Area (EEA) only when in compliance with set conditions. Under these conditions, the country or region the data is being transferred to must have an “adequate” level of personal data protection by EU standards, or where not considered adequate, transfers may still be allowed under the use of standard contractual clauses (SCCs) or binding corporate rules (BCRs). If transferring data outside of these conditions, informed consent must be received from the user —in which case the consent must be given on the basis of sufficiently precise information, including information on the lack of protection in the third country.
As with most new regulations, the GDPR has it’s pros and cons from a business point of view. Generally speaking, the new regulations will mean more restrictions on the commercial use of data and more initial spending of becoming compliant. However, in the long term, the regulation is intended to encourage innovation, reduce the cost of doing business in the EU, mitigate risks and associated potential costs, safeguard individual data security rights and encourage consumer trust.
In terms of compliance, some of the first logical steps are to:
Looking for more in-depth information on the GDPR? You’re welcome to join us at our up-coming webinar. It’s free to attend and you can have your most pressing questions answered. You can use this link to reserve your spot NOW (as our webinars often fill up quickly).