By JODI DANIELS
The General Data Protection Regulation (GDPR) is a complex regulation comprised of 99 articles. In this three-part series, we’ll break down the components of GDPR starting with an overview of the regulation and why you need to start preparing now.
Part Two will discuss some of the key elements including obtaining valid consent, access to data, and a data subject’s right to be forgotten. Part Three will dive deeper into understanding the obligations of a data controller and data processor, as well as the newly defined role of a Data Protection Officer.
May 25, 2018 is an important date for all companies who collect and store personal information on European Union (EU) citizens. It’s the date that GDPR comes into force.
A common misconception is that this only applies to companies located in the EU. In the EU, privacy is a fundamental right. GDPR is applicable to all businesses that hold and process data collected in the EU, regardless if the company is located outside the EU. GDPR applies to you if you fall into one of these buckets:
- You are a company with US offices and have customers around the world
- You are a B2B company with US offices that serves EU clients
- You are a company with offices in the EU
GDPR sets a new high bar for how EU customers will expect their data to be treated by any company they interact with.
Here are 11 key concepts you need to know about GDPR:
1. Data controllers & processors
GDPR affects both data controllers and data processors. The data controller defines how and why personal data is processed and determines the purposes for which the personal data is processed. Every company to some extent is a data controller, as at a minimum it’s responsible for its employee data or those of its clients. The data controller is responsible for ensuring that the data processors are GDPR compliant. For the same data processing activity, a company must be either a data controller or a data processor.
Data processors are either internal groups or outsourced vendors that process personal data on behalf of the data controller. For example, if payroll is processed by a third party, then the payroll company is a data processor to your company. If you are a market research firm, you are a data processor to your clients.
Keep in mind, GDPR applies to both customer and employee data.
2. Data Protection Officer (DPO)
Companies may also need to appoint a Data Protection Officer (DPO) to oversee data security strategy and GDPR compliance. We will talk more about DPOs in a later post in this GDPR series.
Noncompliance with GDPR can be costly. Companies could face regulatory fines as high as four percent of their global annual turnover or €20 million, whichever is higher. GDPR is setting a new baseline for privacy and security, and EU customers will expect companies to comply. In addition to penalties, companies can suffer reputational harm from negative publicity about their noncompliance.
Supervisory authorities will have the ability to require documentation from companies or conduct audits. Data subjects will have the ability to submit a complaint to their local supervisory authority of either their residence, where they work, or where the data infringement allegedly happened. Data controllers and processors will also need to be prepared to present at court proceedings and adhere to any enforcement actions should that be required.
4. Personal data
GDPR expands the definition of Personal Data with special categories such as health, genetic, and biometric data. These special categories of data are deemed to be “particularly sensitive in relation to fundamental rights and freedoms” and as a result warrant special protection.
GDPR personal data elements include (but are not limited to) the following:
- Basic identity information such as name, address, and ID numbers
- Web data such as location, IP address, cookie data, and device identifiers
- Genetic data (e.g., an individual’s gene sequence)
- Biometric data (e.g., fingerprints, facial recognition, retinal scans, etc.)
- Racial or ethnic origin
- Political opinions
- Sexual orientation
- Religious beliefs
GDPR also introduces a new concept called “pseudonymous data.” This is defined as personal data that has been hashed or encrypted (or something comparable) with the intent that it cannot identify an individual without additional information. The goal is to separate the “personal” from personal data so that not all the parts to the puzzle exist in one place. Pseudonymous data with additional information could still be traced to the data subject and is considered personal data under GDPR.
Pseudonymous data would be ideal to use in data analytics and research. Since the personal data is not all combined, using pseudonymous data lowers the risk of misuse if exposed in a data breach.
5. Data processing
GDPR allows companies to store and process personal data only when the individual consents. Additionally, companies can store and process personal data for “no longer than is necessary for the purposes for which the personal data are processed.”
The cost to store data is historically low and many companies keep data longer than is necessary to conduct business. GDPR specifically states that companies should destroy data that is not needed to run daily operations, or use some type of encrypting, data mask, or comparable technology to protect the data. Keep only the data required to do business.
6. Cross-border data transfers
Transferring data outside of the EU is prohibited unless adequate protections are in place. Data transfers to a third country can be made if that country has been determined by the EU Commission to have adequate level of protection by decision (countries like Israel, Argentina, Canada, New Zealand, and Switzerland). For companies that have self-certified under Privacy Shield, data can be transferred to the US. Otherwise, adequacy can be met through safeguards such as Standard Contractual Clauses or Binding Corporate Rules (BCRs). In short, BCRs are EU-approved (under the EU cooperation procedure) internal rules adopted by multinational companies to make intra-company transfers of personal data.
7. Right to be forgotten
GDPR introduces the concept of the right to be forgotten, which allows a person to request their data to be erased. There are some exceptions (for example, it cannot supersede any legal requirement that an organization maintain certain data). For US companies, this would include HIPAA required records.
8. Data portability rights
Data subjects can demand their personal data be ported to them so they can reuse “their” data for their own purposes and across different services. This applies to online data only. Data controllers need to provide functionality that enables the data subject to move, copy, or transfer personal data easily. Examples could include a list of media such as books, songs, movies, photos stored in a cloud, or transaction history. Data that is inferred such as behavioral data determined from analysis would be out of scope.
9. Report a breach within 72 hours
If your company experiences a data breach, you must notify the local Data Protection Authorities (DPA) in the member states of those affected within 72 hours of identifying or confirming the occurrence of a data breach. Companies need to prepare with a rehearsed incident response plan comprised of a cross-functional team including public relations, legal, compliance, IT, privacy, and information security professionals.
10. Processing of data requires consent or legitimate interest
Under GDPR, the use of data must be via opt-in consent or meets the definition of legitimate interest. This is opposite many US regulations where only providing opt-out is required. Consent must be documented, separate from other terms and conditions, cannot include pre-checked boxes, must specifically state the use case of the data being processed, and list any third parties that will also rely on this consent. Additionally, the user must be able to withdraw the consent.
GDPR significantly impacts how companies collect, store, and transfer personal data. Companies must not only comply, but also be able to demonstrate compliance. There must be a privacy impact assessment program in place to review any data processing activities that would cause a “high risk to rights and freedoms” of a data subject.
Don’t delay—start planning now!
Companies need ample time to prepare for GDPR. This includes performing assessments, documenting the data flow in a company, and remediating any gaps identified during the process.
Get started now on crafting a plan, securing resources and budget, and determining any assistance you will need from external legal counsel and consultants. Ensure your company has adequate time to manage any project delays or unexpected findings, and to implement any new controls or processes to ensure GDPR compliance.
Companies not in compliance by May 25, 2018 risk hefty fines, scrutiny by local supervisory authorities, and negative PR. There is also the potential loss of customers as companies need to ensure they work with GDPR compliant vendors.
GDPR readiness is not a one and done activity. Compliance will need to be reviewed annually. As a part of the GDPR readiness activities, processes to ensure ongoing compliance with GDPR should be considered. Examples include:
- Updating contracts with appropriate GDPR clauses
- Updating data inventories with changes to personal data collected, used, or stored
- Reviewing and updating external privacy notices and internal policies
- Building into the product plans consent capture, data portability, and right to be forgotten
Preparing for GDPR compliance ahead of time can help companies get a clear picture on their data activities, such as knowing what personal data is collected, where it is stored, and how it is used. Customers expect that you take privacy and security seriously. For GDPR compliant companies, it will ultimately help keep data safer.
Knowing where all your data is stored will help your company be more agile and efficient, which translates into better decisions. As companies are looking to partner with GDPR-compliant organizations, being ahead of the curve as an early adopter can help you stand out amongst the competition.