In May this year, we saw the most groundbreaking change in Europe’s privacy legislation in over two decades – the General Data Protection Regulation (GDPR). The GDPR introduces a completely revamped framework for consent, data protection and transfer of data to non-EU countries.
The GDPR will impact every entity that holds or uses European personal data both inside and outside of Europe, even if they do not have a business presence within the EU.
Companies that collect data on citizens in European Union (EU) countries will need to comply with strict new rules regarding protecting customer data and the deadline to comply with its new provisions has passed on 25 May 2018, when the GDPR entered into force.
Companies (and organisations) will face a more restrictive environment when it comes to handling, storing and sharing of personal data.
The compliance standards are difficult to meet and GDPR leaves much to interpretation. Add to that the threat of enormous fines – up to €20 million in some cases – and it won’t be difficult to understand where all this commotion comes from.
In some cases, the changes you’ll have to make will be comprehensive, so it’s best to start preparing as soon as possible, so we’ve decided to help you out with a handy guide that will give you a quick overview of what to expect.
What is the GDPR?
The GDPR is a new data and privacy protection law that will apply in all 28 EU member states.
The provisions are consistent across all 28 EU member states, which means that companies have just one standard to meet within the EU. However, the bar for compliance is set is quite high. The GDPR will certainly require most companies to make a large investment if they wish to meet the new requirements.
The Regulation entered into force on 25 May 2018, and unlike the Directive, it requires no other action from national parliaments in order to become law. It is automatically transposed into law in every EU member state.
Why the GDPR?
The EU aimed to give users more rights over how their data is used – or, currently, often mis-used.
According to a Eurobarometer survey, over 4 in 10 users fear having their personal information used without their knowledge.
RSA Security LLC, an influential US security company, also showed in its Data Privacy & Security Report that consumers do care a lot about privacy issues. They surveyed 7,500 consumers in France, Germany, Italy, the UK and the U.S.
4 in 5 cited a loss of banking and financial data as a top concern, and 76 % were concerned with losing their security (e.g. passwords) and identity information (e.g. passports or a driving license).
An alarming figure for companies that deal with consumer data is that 62 percent of the respondents would blame the company instead of hackers for data loss in the case of a breach. The authors noted that, “As consumers become better informed, they expect more transparency and responsiveness from the stewards of their data.”
The key fact is that customers won’t forgive companies that lose their data:
- 72% of US respondents said they would boycott a company that appeared to disregard the protection of their data
- 50% of all respondents said they would be more likely to shop at a company that could prove it takes data protection seriously.
This proves that GDPR compliance is not only a regulatory requirement, but also comes with clear competitive advantages over companies that aren’t as privacy aware.
“As businesses continue their digital transformations, making greater use of digital assets, services, and big data, they must also be accountable for monitoring and protecting that data on a daily basis,” the report concluded.
Who does the GDPR apply to?
GDPR protects EU data so all companies handling EU data are affected – regardless of where they are located.
Simply put, if you process any data originating from the EU, you must comply with the GDPR – which in most cases includes doing business with the EU. This rule also applies to non-profits and public bodies that process personal data of EU residents. Likewise, both small business and large corporations are ‘on the hook’.
In practical terms, if you have a web-shop that sells to EU citizens, or if your website has EU users, you should start preparing. Even US companies have recognized the need for GDPR compliance: According to a PwC survey, 92 percent of US companies consider GDPR a top priority, and a further 85 percent fear the GDPR could put them at a disadvantage when competing with EU companies.
I think I am exempt from the GDPR!
The exemption applies only to the companies that both process personal data only occasionally and don’t process sensitive personal data. Even though a significant proportion of companies feel that the GDPR does not apply to them (up to 40%, by some surveys), the number is much likely to hover around 5%. Most companies really do process personal data on a significant enough scale that the GDPR will certainly apply to them.
What data does the GDPR protect?
The GDPR applies only to personal data. For non-personal data, other basic data protection laws apply, if any. GDPR does not cover anonymous data.
The GDPR considers all information from which an individual can be pointed out with reasonable accuracy as personal data. The scope of the definition has not changed much from the currently existing legislation, except for online identifiers.
Personal data encompasses information such as:
- Basic information – names, ID number, location data
- Credit card information
- Health data (disabilities, mental condition, medical history)
- Biometric data (iris scans, fingerprints, etc.)
- Genetic data
- Religious affiliation
- Philosophical beliefs
- Ethnic origin
- Economic data
- Trade union membership
- Psychological condition
- Sexual / gender preferences
- IP addresses
- Personal e-mails
- Browser cookies
- Pseudonymized data
Data marked in bold are considered protected categories of personal data.
This is not an exhaustive list of all data that is considered personal; as per the definition in the GDPR, personal data is any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Companies that personal data is handed over to are considered data controllers, and they give commands for its processing to data processors, who carry out processing activities on behalf of the data controller. In most cases, these two will be the same entity, but need not be – cloud providers are a great example of third party data processors.
How do I comply?
The GDPR sets out a myriad of new obligations and requirements, but here are the basics:
Keep it transparent
You have to be proactive when it comes to keeping data subjects informed of their rights and ways to protect them:
- keep the language of your notices and policies plain and simple
- translate this information to all languages you do business in
- keep data subjects informed of your cookie policies
Stick to the principles
The GDPR outlines several principles relating to processing of personal data. These principles should be your ultimate guide when deciding which personal data you collect, how you handle it, and what you do with it after it is no longer needed. In that respect, you should always:
- process data on a lawful basis, fairly and in a transparent way in relation to the data subject
- explicitly specify legitimate purposes for data collection and processing
- collect only such data that is relevant and necessary for the purposes for which they are processed
- keep your data accurate and up to date
- store personal data for no longer than is necessary for the purposes for which they are processed
- protect personal data against unauthorised or unlawful processing, accidental loss or destruction
- be able to demonstrate compliance with the above principles
Consent is king
Consent is just one of the lawful bases that you can use for processing of personal data, but when you do use it, you should make sure to:
- serve a consent notice at the time of collecting data
- require a positive action from the data subject to consent (explicit opt-in)
- make it easy for data subjects to withdraw consent
- ask for explicit consent if collecting special categories of personal data
Respond to data subjects’ requests
Informing data subjects of their rights is not enough. You have to give your best to accommodate data subjects’ rights and respond without undue delay to their requests to:
- know if you process data concerning them, and to access such data
- restrict processing of their data (e.g. if lawfulness of such processing is contested)
- rectify inaccurate personal data concerning them
- receive their own data in a commonly used and machine-readable format
- transport their data to another data controller
- stop processing of their data for direct marketing purposes
- object to automated decision-making
- erase all data concerning them
Also, remember to communicate any rectification or erasure of personal data or restriction of processing to all recipients to whom this personal data have been previously disclosed.
Internal policies, third-party contracts and agreements
Make sure you do a thorough review of all your written documents that pertain to the use and sharing of personal data:
- review and revise contracts with your data processors and third-parties
- in a written document, appoint an EU representative if you need one
- create or revise internal privacy policies (e.g. describing technical, organizational and physical security measures)
- document procedures for responding to data subjects’ requests
- revise policies for responding to data breaches
Data protection and security measures
To protect the rights and freedoms of data subjects with regard to the processing of personal data, the GDPR postulates the use of appropriate technical and organizational measures. This means you need to:
- implement data protection measures (such as encryption and pseudonymisation)
- implement strict data access controls
- systematically delete personal data that is no more needed or relevant
- adhere to the principles of privacy by design
Accountability is a crucial GDPR principle that reflects in your ability to demonstrate and prove to the supervisory authorities that you do business in accordance with the provisions of the GDPR. To be accountable, you should:
- maintain detailed records of your processing activities
- cooperate with the supervisory authorities
- appoint a data protection officer (DPO)
- carry out data protection impact assessments, under certain circumstances
One of the most important elements of demonstrating compliance is keeping detailed records of processing activities, which is mandatory for companies with more than 250 employees. The documentation should contain the reasons for collecting and processing of data, describe the information that’s being held and list the retention period along with data security measures taken to protect the data.
What happens if I don’t comply?
The supervisory authorities have several tools in their arsenal to sanction companies that break the new rules. These are:
- suspensions of data processing
- administrative fines
The lower tier of fines is reserved for procedural offences such as failure to maintain records or notify users of a breach and communicate with the authorities. For these offences, the fines can go up to €10 million or 2% of the company’s global annual turnover for the preceding year, whichever is higher.
Fines of €20 million or 4% of the company’s global annual turnover will be issued for severe breaches of data protection guidelines and basic rights of individuals.
First steps to compliance
You should always keep in mind that the GDPR is big on accountability and transparency. Whatever steps you take, you should ask yourself whether it will improve no those two requirements.
It can be difficult to begin fulfilling the requirements outlined above, but here are the key steps you should take:
- Understand your obligations– Knowing what your new GDPR requirements are is essential. You will probably not have time to study in depth all the articles and recitals of the GDPR, so hire people with a knowledge of the GDPR and the changes it will entail. Make sure to budget for the new changes accordingly. Management should be aware that the changes are coming. If your company’s core activity is large-scale processing of sensitive data and a “regular and systematic monitoring of individuals”, you will also have to appoint a Data Protection Officer (DPO). They assist in solving day-to-day privacy and data security issues and serve as a primary contact between your company and the supervisory authorities.
- Assess the risks – “The GDPR takes a risk-based approach to data protection. The technical and organizational methods required to protect data should be proportionate to the risk that certain data processing operations pose to the rights and freedoms of individuals whose data is processed. Companies must assess this risk and subsequently develop and implement adequate measures for mitigating it”, explains Ozren Ćuk, chief privacy officer at Crionis. It is crucial you perform a GDPR analysis of all your business activities and discover any gaps or problems that you need to address. This involves analyzing your data flows, access controls, third-party contracts, internal privacy procedures and documents, security protocols and such. The analysis report should give you a clear set of recommendations for your further actions.
- Implement changes – Start by isolating data that is covered by the GDPR from other non-personal data. You should also determine what data belongs to special categories of personal data and determine who has access to data. Then you should implement all technical and organisational measures with the aim of protecting personal data. Encrypt your data whenever possible and isolate devices with sensitive data from the Internet. Address vulnerabilities on time and monitor new cyber security developments.
- Document everything – You must have a detailed data inventory and keep logs of how the data was used to answer all regulatory and data subject requests. At all times, you should be aware of the data flows and the ways in which you use data. It also makes it easier for you to delete, transfer and access data as you’ll always know where it is.
Who are the authorities?
Every member state will have to appoint a single agency that will act as a lead supervisory authority for that country. A company will have to directly deal with only a single authority, regardless of how many member states it operates in. A single authority will be designated depending on the company’s main country of establishment. Do note that this doesn’t mean other authorities cannot get involved; it just means the lead authority will do all the coordination.
A ‘consistency mechanism’ spearheaded by the European Data Protection Board should ensure a fair and consistent treatment for all companies across the EU, but the practical implementation of this will probably leave a lot to be desired.
What do the individuals get from all this?
Individuals will enjoy new rights that give them more control over how their data is used.
If they no longer want the data to be retained, they have the right to demand it be deleted. This is the so-called ‘right to be forgotten’.
They also have a much easier time accessing their data – for example, a data access request used to cost £10 in the UK, whereas now it will be free. Companies also have to notify users if their data has been hacked, but the odds of this are reduced by the stronger data protection methods that the GDPR requires (the so-called data protection by design).
This should also help regular users put more trust into European companies, as the overall data protection standards will be much higher. A recent study by Tresorit showed that about 6 in 10 German professionals would rather use European services for their data storage needs, and about 10 times more people feel safer using European services than American ones.
The rules of the game will change massively once the GDPR rolls out. The entire privacy landscape will certainly be shaken to the core – but maybe that’s a good thing overall, considering the recent developments that left both users and companies high and dry.
You should also bear in mind that this is in no way an exhaustive list of all the changes the GDPR brings. The GDPR is extremely complex and there are many nuances in practice – that’s why we provide additional resources to help you dive deep into the new regulation and gain a much better understanding of what’s required from you.