On May 25, 2018 the European Union (EU) will put into effect the General Data Protection Regulation (GDPR). The GDPR will strengthen and unify data protection of all individuals who reside in the EU. The GDPR is one of the most comprehensive data privacy regulations in the world and is part of an ongoing effort by the EU to create a privacy-based framework that will ultimately culminate in the release of the ePrivacy regulations sometime in the near future.
The primary aim of the GDPR is to give control to EU citizens and residents over personal data and to create a unified framework that all members of the EU can adopt to protect citizens. With personal data – and the misuse of personal data – becoming critical conversation points across the Globe, understanding the implication of the GDPR is important for any business.
Are you impacted by the GDPR?
In general, the GDPR requires companies to comply – regardless of their location of business – if at least one of the following is true:
- You have a presence in the EU
- You do not have a presence in the EU, but process personal data of EU residents
- Your organization has more than 250 employees
- Your organization has fewer than 250 employees but has data processing that impacts the “rights and freedoms of data subjects, is not occasional or includes certain types of sensitive data.”
That list comprises just about every business. For non-EU businesses, the most important clause of the GDPR is that it applies to any organization operating within or outside of the EU which offer goods or services to customers or businesses in the EU. This, of course, means that any business that advertises or sells products or services online is directly impacted by the GDPR regulations.
The GDPR makes a distinction between two different types of business entities: Controllers and Processors. Controllers are organizations that determine what data to collect and how data should be used, and processors are the companies that manipulate or use the data on behalf of controllers. It’s possible for a company to be both a controller and a processor. Processors of data have greater requirements under the GDPR when it comes to data breaches and the handling of personal data. The GDPR places legal obligations on processors to maintain records of personal data, how it is being processed and how “permission” was obtained. Controllers, on the other hand, will be responsible for ensuring that any “processors” they do business with are also in compliance with the GDPR.
What constitutes “personal data”?
The GDPR is very clear about what information constitutes “personal data.” This includes name, address and photos, but also extends the definition to data elements that can be used to target an individual – such as their IP address. The GDPR also makes special mention of data elements like genetic data, biometric data, religious affiliation, and other sensitive personal data.
Control over data, including data breach notifications & right to be removed
The GDPR also requires significant changes to the granularity that businesses must use when working with personal data from consumers. To be GDPR compliant, organizations must provide consumers with means of controlling their data and – if desired – be removed from a data set. This has significant implications for businesses who might want to “repurpose” data – for instance, under GDPR regulations, if a user has signed up for a newsletter, you are not allowed to target that user for other types of advertising and offers, without first getting consent.
Another key element of the GDPR is to give consumers the right to know when their data has been hacked. Organizations will be required to notify the appropriate national organizations within 72 hours to ensure that EU citizens can take measures to protect their data from being abused. The GDPR also explicitly requires companies to allow consumers to have their personal data deleted when citizens no longer want it to be processed, and when there are no grounds for retaining it.
Are there penalties for non-compliance?
Yes, and they can be severe. Breaches can cost companies up to 20 Million Euros or up to 4% of their annual global turnover. Some infractions are less expensive than others but are still significant. Whether the EU will actually impose fines of that size is hard to forecast, the rules have been written in a way to allow regulators some “wiggle room” and impose smaller fines, but there are no guarantees of leniency.
What is Milestone doing about the GDPR?
At Milestone we have always taken data privacy and data protection seriously. We are currently working on making the necessary changes to our technology and our internal policies and procedures. Many of our practices and technologies are already in compliance, but we strive to ensure we are fully compliant. We will be sharing more information about Milestone and the GDPR in the near future.
What does all this mean to you?
The most important change for any consumer-facing business is the notion of “explicit consent.” Explicit consent means that you must explain to customers what data is being collected, why the data is being captured and who specifically is requesting the data or will have access to it. This is critical since, once you have specified your data collection purposes, you are not allowed to expand that purpose without gaining a new consent. In our earlier example of signing up a user for an email newsletter, you must gain new acceptance if you want to expand usage of that data for other purposes.
In addition to compliance, the GDPR also specifically requires that organizations hire a Data Protection Officer (DPO) if any of the following are true:
- The processing is carried out by a public authority or body, expect for courts acting in their judicial capacity.
- The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale.
- The core activities of the controller or the processor consist of processing special categories of data (ex: health data) or data relating to criminal convictions and offenses.
As a rule, the more data you process, the more likely you are to need a DPO. As for “core activities”, these are defined as activities necessary to achieve your business goals. For example, an HR outsourcing company that manages and processes payroll and benefits for clients would need a DPO, since HR management and handling of HR records is core to the business. On the other hand, a retailer with an HR department that processes payroll may not need a DPO, at least not because of their payroll processing, since payroll is not central to that retailer’s business goals. If the use of personal data is in any way critical to the success of your business, a DPO may be necessary.
Your GDPR checklist starter
Below is a checklist of some of the aspects of the GDPR that will impact your business. Note that some of these items may apply to your “data processor” and not to your business directly. This list is not meant to be a comprehensive list of GDPR requirements, but is provided for informational purposes:
- You must have a list of types of personal information that you store, the source of that information, who you share it with, what you do with it and how long you’ll keep it.
- You have a list of places where you store personal information and the ways data flows between them
- You have appointed a Data Protection Officer
ACCOUNTABILITY & MANAGEMENT
- You have created awareness amongst your decision makers about GDPR guidelines
- Your technical security is up to date
- You have trained staff to be aware of data protection
- If your business operates outside of the EU, you have appointed a representative within the EU
- You report data breaches involving personal data to the local authority and to the people involved
- There is a contract in place with any data processors with whom you share data
- Your customers can easily request access to their personal information
- Your customers can easily update their own personal information to keep it accurate
- You automatically delete data for which your business no longer has any use
- Your customers can easily request deletion of all their personal data
- Your customers can easily request that you stop processing their personal data
- Your customers can easily request that their data be delivered to themselves or a third party
- Your customers can easily object to profiling or automated decision-making that could impact them personally
- You ask for consent when you start processing a person’s information
- Your customers can withdraw consent easily
- If you process children’s data, you can verify their age and have asked for consent from their legal guardian
- You regularly review policies for changes, effectiveness, changes in how you process data and changes to the state of affairs in countries where your data flows
This information is different from legal advice, where an attorney applies the law to your specific circumstances, consult an attorney if you’d like advice on any of the above information, the accuracy of the information or about the GDPR in general. You may not rely on this content as legal advice, nor as a recommendation of any legal understanding.