The General Data Protection Regulations (GDPR) affect a wide variety of organizations–not just businesses based in Europe. It is vital that you become familiar with them. The European Union's (EU) GDPR regulations were adopted in 2016 and become enforceable on 25 May 2018. In this article, I’d like to help inform and prepare you for working and complying with GDPR.
This post is based on notes I took at a talk given by a lawyer at TYPO3 Camp Venlo, 2018. While this post does not constitute legal advice of any kind (see disclaimer below), it does provide a helpful outline of what you need to be looking out for as we enter the GDPR era. At the time of publishing, none of this has been tested in the courts yet. It remains to be seen how the EU and its member states approach enforcing these regulations, but you should be aware of what’s coming.
The scope of the GDPR is exceptionally far-reaching and applies to activities–anything to do with customer data and communication–that most businesses do on a daily basis. Furthermore, it covers virtually all countries and data communications, whether digital or analog. It applies to organizations located:
in EER countries (all EU states, Norway, Iceland, and Liechtenstein).
outside of the EER, if they offer goods or services to, or monitor the behavior of, EU data subjects.
Concerns about exposing the details of people’s personal lives go back at least as far as the introduction of commercial mainframe computers and data processing in the 1960s. Both the right to privacy (essentially keeping your private life private) and the protection of personal data (name, address, date of birth, and any other particulars that define a specific individual) are enshrined in EU law, but the standard varies from country to country.
For example, The Netherlands and Germany hold citizens and companies to higher standards than do Spain and Italy, which has led to some confusion and complicated questions about jurisdiction and enforcement. For this reason, the EU decided to standardize the privacy regulations across all its member states. Hence the “General” in the General Data Protection Regulations name. The GDPR attempts to harmonize the laws regarding personal data in the EER and, most importantly, it gives consumers the means to enforce their rights.
While consumers previously did have rights set out in law, they had no effective means of enforcing them. The GDPR changes this, giving consumers mechanisms like the “Right to be Forgotten” and retroactively withdraw consent to share their data. The GDPR protects personal data like never before.
From a business point of view, the GDPR places a heavy burden on the commercial users of data in terms of compliance with the regulations. As a business, you need to take steps to manage and protect the data you collect or face stiff penalties.
Some relevant terms to understand in the context of GDPR:
The most important term in the regulations, “personal data” is broadly defined as including any information related to a person that can be used to directly or indirectly identify them. Personal data could be virtually anything from a name, photo, or email address, to bank details, posts on social networking websites, medical information, or a computer IP address. It is important to keep in mind that it covers both digital data and analog data. So it affects direct mailings and anything that you send out on paper just as much as email or personalization and targeting on web properties. Despite the examples below, the safest and easiest thing to do is to assume that everything is personal data.
Examples of personal data include profession, education, online behavior, tracking cookies, IP and MAC address, even x-rays, credit card data, location, contact banking and tax information, (and much much more). Interestingly, pharmaceutical research data is not personal data because it is typically randomized and therefore not identifiable.
Controlling and processing
These terms are also very broadly defined. “Controlling” and “processing” data include structuring, monitoring, controlling, altering, and even archiving and deleting data … pretty much anything you do with data. The EU has tried to encompass everything that can conceivably be done with personal data. Ironically, “stealing data” also falls within the definition and should also be registered accordingly … no, really.
The final important term that is “territory,” which is also broadly cast and means that anything or anyone that comes into contact with the EU or the EER has to comply with the GDPR. Setting up your company headquarters office in the USA or Australia will not exclude you from accountability. If you monitor end users or consumers in Europe, or if your servers are in an EU/EER country, the regulations apply to you. Even ships, planes, and embassies are accountable if they are registered in an EER country. This explicitly means that Google, Facebook and the like need to comply, and so do you if you collect or process data on EU/EER residents.
Although privacy laws were in place in the past, they did not hold companies who monitor and control data accountable. The GDPR introduces accountability that can, and very likely will be, enforced. Accountability in GDPR terms means registering your processes and being honest and transparent about what you do with data. You should be proactively presenting clear answers to questions about data like “Why you collect it, how you collect it, and how you protect it.”
Non-compliance can result in fines of up to €20 million or 4% of your net annual global turnover, whichever is higher. Many national authorities have already been established to enforce the General Data Protection Regulations in each country.
To carry out many controlling and processing actions, you need to have the user’s permission before executing it. Examples include monitoring data on a large scale and using tracking cookies.
Permission can be granted by an unambiguous statement (for example, an active “opt in” option, not selected by default) or by legal stipulation (certain activities, invoicing for example, require us to provide personal data). Permission must be explicit. General terms and conditions on a website only suffice if the user actively replies to them.
Once granted, a user can withdraw their permission at any time. Theoretically, they could give you their permission you now and retract it 5 minutes later. When a user withdraws their permission, you need to act upon this quickly, without restriction or limitation.
This regulation looks like it will have a substantial impact, but it is unclear at this stage how it will play out in practice.
The regulations introduce the concepts of privacy by design and default. These principles ensure the fallback option in any case maintains data security without needing manual changes and interventions.
"Privacy-by-design means that you are obliged to design your products and services in a way that ensures that personal data is as protected as possible. You are also not allowed to monitor or collect more data than is absolutely necessary."
"Privacy-by-default means that the strictest privacy settings should apply by default, without any input from the end user. In addition, personal data provided by the user should only be kept for the time necessary to provide the product or service."
Read more: What is Privacy by Design & Default?
Businesses who monitor and control a significant amount of data need to appoint a data protection officer to monitor and advise on privacy matters. The data protection officer (DPO) can be external or an employee of your company. The regulations state that the DPO must be given access to all data in your company. Organizations providing DPO training have emerged in the wake of the GDPR’s announcement. If your DPO is an employee, their activities as DPO must be independent of management or other internal influence. They may not be fired or disciplined for any actions they carry out as DPO.
Another important requirement of the GDPR is the duty to maintain a Data Register of all the data processing you execute in your business. Many everyday business actions–like archiving, deleting, structuring, and monitoring–amount to processing of data as defined by the regulations. Your register needs to contain a complete record of these actions. National authorities can ask to audit your data register, and you can be fined if you fail to maintain one, or if your register is incomplete or inaccurate.
Remember: Every. Little. Thing. you do with data is considered a process under GDPR, even deleting it, and must be included in your Data Register.
The final important concept introduced by the GDPR is the Data Privacy Impact Assessment. You must assess the impact of every new action in your business before you execute it. The full impact must be assessed in advance, and only executed if it does not break any of the rules. And every Data Privacy Impact Assessment must be included in your Data Register … and updated every time you do—or even plan—something new.
The EU seems to be of the opinion that less is more when it comes to collecting and processing personal data. The correct and permissible approaches under GDPR are not fully clear, and in this regard, the regulations might place a harsh practical strain on businesses.
The lack of practical guidelines and real-world examples at this stage make compliance with the GDPR burdensome–and practically speaking, impossible. Things will hopefully become more evident over time and businesses are well advised to follow GDPR developments in the news.
Get started on you Data Register as soon as possible so that you are at least aware of potential pitfalls. Doing this will go a long way to showing your national authority your goodwill in that you are attempting to comply as best you can with GDPR.
The EU GDPR Information Portal is a good source of the current state-of-knowledge regarding this regulation.
This post is based on a talk given by a lawyer at TYPO3 Camp Venlo, 2018. I am, however, not a lawyer! This post (and the talk it is based on) do not constitute legal advice, nor imply any level of completeness or comprehensiveness of information, nor offer binding recommendations relating to the General Data Protection Regulations (GDPR) or any other laws or regulations of any jurisdiction.