This article was originally published in the June 2018 issue of EAN Magazine at page 70.
The European Union’s General Data Protection Regulation (“GDPR” or “Regulation”) was developed to standardize data protection laws in the EU and give EU residents more control over their personal data. The Regulation, adopted by the European Parliament in April of 2016, went into force on May 25th of this year. Accordingly, businesses must now be in compliance or face the possibility of serious fines. Let’s take a look at some of the GDPR’s key provisions.
The GDPR regulates how companies can “process” “personal data” of EU residents. Processing is defined very broadly to include just about any type of data manipulation, including collecting, recording, organizing, structuring, storing, altering, retrieving, transmitting, disseminating, erasing, or destroying of data. Personal data, as defined by the Regulation, can be any information related to an EU resident that can be used to directly or indirectly identify the person. Therefore, it can be anything from a full name, home address, photo, email address, driver license number, passport number, medical information, birthdate, or computer IP address. Anonymized or pseudonymized data (such as aggregated data), where steps are taken to de-identify personal data to render it impossible or impractical to connect personal data to an identifiable person, are subject to more relaxed standards than personal data.
The terms of the GDPR apply to organizations that process, or control the processing of, personal data of EU residents (so, when I refer to a “person” or “people” here, it is meant as an EU resident or EU residents). Under the GDPR, a “controller” is an entity that basically instructs the “processor,” while the “processor” is the entity that actually carries out the processing. It does not matter where the entity is located. Of course, data controllers and data processors based in the EU are subject to the Regulation. Those outside of the EU are also subject to the Regulation if they offer goods or services to, or monitor the behavior of, EU residents. It does not matter whether a payment is required for the goods or services from the person from whom the data is collected.
Under the GDPR, personal data may be collected for explicitly specified and legitimate purposes. The data should only be processed for those purposes, and not for any other (subject to certain exceptions). The amount of data collected should be limited to what is necessary, i.e. data minimization. The data should be kept in a form which allows identification of the respective persons for no longer than is necessary. Appropriate security measures should be taken to protect the security of personal data collected for processing.
In order to process or hold a person’s data, the person must consent, or it must be in the course of performance of a contract. There are also several additional avenues outlined in the Regulation, but they are beyond the scope of the discussion here. Where consent is requested, the request must be in clear and plain language – Confusing legalese is not acceptable.
The consent must be “freely given.” For example, where the provision of a service is conditional on consent to the processing of personal data – that is not necessary for the provision of that service – the consent may be deemed invalid. This means that if a person must provide personal data for processing as a condition to access a WiFi network, but the data is processed for further purposes other than provision of the WiFi, the consent may not be considered freely given. This could render illegal any personal data processing performed according to that consent.
For certain types of sensitive data, “explicit” consent is required. This sensitive data includes personal data about racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Sensitive data also includes genetic data, biometric data, health-related data (mental, physical, or sexual), or sexual orientation. Example methods of obtaining explicit consent include electronic forms, emails, or the upload of scanned documents bearing the person’s signature. For other types of personal data, which are not considered sensitive, “unambiguous” consent is adequate.
The GDPR provides rules for consent by children for personal data processing. Parental consent is required to process the personal data of children under the age of 16 for online services. EU member states, however, may legislate for a lower age of consent, but it cannot be below the age of 13.
The GDPR tries to achieve transparency. It gives people the right to receive the personal data they have provided to a controller. Accordingly, a data controller must be prepared to provide such upon request.
In addition, the GDPR provides a “right to be forgotten.” This entitles people, under certain circumstances, to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, a person withdrawing consent, or other conditions, which are outlined in the Regulation.
A person must be able to withdraw consent as easily as consent was given. For example, if a person filled out a form on a company’s website to be added to a newsletter listserv, there should be a similar form, checkbox, or portal in the same or close location (or perhaps right in the newsletter), where the person can subsequently withdraw consent at a later time. It’s important to recognize that a person’s withdrawal of consent does not render illegal any previous processing, which was based on proper consent before its withdrawal. The GDPR says that prior to giving consent, the person should be informed of that. So, it is best to include a notation explaining this in the request for consent.
The GDPR provides strict standards for reporting of data breaches. A data processor must notify the controller without “undue delay” after becoming aware of a breach. Where the breach puts people’s rights at risk, a controller must notify the competent supervisory authority within 72 hours of becoming aware of the breach. In some cases, the individuals whose information is compromised must be notified as well.
Severe penalties may be imposed on organizations who violate the terms of the GDPR. The Regulation gives any person who has suffered “material,” or even “non-material,” injury as a result of a violation, the right to damages from the controller or processor. A controller is much more easily snagged for violating the GDPR than a processor. This is because a controller involved in processing is liable for damage caused by any such processing which violates the Regulation. A processor, however, is liable for the damage caused by processing typically under two particular circumstances: (1) where it has not complied with terms of the Regulation specifically directed to processors, or (2) where it has acted outside of, or failed to follow, instructions of the controller (assuming that such instructions, themselves, were not violative of the GDPR or another law).
In addition, fines can be imposed for violation of the Regulation. Organizations can be fined up to 4% of annual global turnover or €20 Million. Note that this is the maximum fine that can be imposed for the most serious breaches. Lower fines are available for less egregious offenses.
Organizations that collect, hold, or use personal data of EU residents will have to take major steps to comply with the terms of the GDPR. Proper mechanisms for requesting consent, as well as withdrawing consent, must be used. Security measures for the data and its processing must be implemented. Enterprise-wide data flow charts should be created and optimized to be able to track for what purposes specific data is allowed to be processed, and to be able to find data for erasure when requested or when it is no longer needed.
Remember that the GDPR has further provisions not reached in this summary. Although the terms of the Regulation are onerous, they are manageable if you plan out your data collection and processing operations. Talk to your lawyer and IT management company about your practices and goals, so you can set yourself up with a well-developed and properly-implemented strategy.