Beginning from May 25th, 2018, companies which operate in the European Union have to adhere to the GDPR. Coursedot has a special quick and easy guide to provide the basics of GDPR. This is the third part of the series. The second one is right here.
The third part will cover
GDPR in a Nutshell
The General Data Protection Regulation (GDPR) was approved by the European Commission (EC) in 2016. Up until now there was an unofficial grace period where companies could get ready for it and take the steps needed without being subject to review or fines.
This unofficial grace period ends on May 25th, 2018. From that date onwards any company which uses digital user data on EU territory has to be compliant with GDPR. Otherwise they risk hefty fines. So, let’s dive into it a little bit more and see what’s what.
What is GDPR?
The General Data Protection Regulation1 is a mandatory law for all EU member states. It replaces the Directive 95/46/EC which was the data protection law for the EU since 1995.
As you can imagine, it was quite old to reflect the realities of 2018. While the GDPR has been announced by the media as something very serious even daunting, it’s not that bad. The main goal of this new law is to harmonize and strengthen the EU data protection rules. One of the main issues for any company that wants to operate in several EU countries is often the very different laws from member state to member state. The GDPR aims to solve these problems at least when it comes to data protection. All EU member states have to apply the GDPR and have to harmonize their local laws in accordance to it. This means it’s all the same rules everywhere in the EU when it comes to data protection.
The GDPR also gives individuals more control over their own data. Companies which collect or store such data are obligated to follow that law which aims to put individuals’ privacy at the forefront. It’s also important to note that the GDPR does not limit the amount of data companies can or will collect. It also doesn’t limit the technologies that can be used for data collection, storing and analyzing.
What the GDPR does do though is regulate the ways that data can be obtained, used, stored and etc. It also expands the definition what is personal data (the email address, for example). The Regulation also mandates that companies have to have the consent of individual for each piece of data which is collected, no matter what it is. The user also has to be informed in advance what their data will be used for, how it will be stored and who will have access to it.
Who does the GDPR affect?
Now comes the tricky part. Who does the GDPR actually affect? The definitions are quite broad and this creates confusion. For example, would the owner of a blog who collects the emails of their readers for a newsletter have to comply with the Regulation? First things, first – the GDPR does not affect individuals, meaning you don’t have to do anything more to secure the phone numbers of your friends in your personal phone. For your work phone, which is provided by your employer though, the GDPR is in effect. This means if that phone is lost or breached, your company will have to follow the Regulation and inform the authorities and the people whose personal data is affected.
Now, let’s narrow the scope a bit. The GDPR will affect all organizations established in the EU. It also includes all organizations which process personal data of EU citizens no matter where they are established or where the processing of information takes place. Basically any organization in the world could be affected if it uses or collects personal data. This is why it’s important for every company to perform an analysis and see whether it falls under the GDPR or not.
For this analysis the company has to check what data it collects and what it does with it. For example what exactly is personal data as defined by the GDPR?
According to the GDPR, any information which is related to an identified or identifiable individual is personal information. The same goes for any type of data which can be used on its own or in conjunction with other data to identify an individual. This means all type of current personal data, like addresses, names, social security numbers and email addresses still fall under GDPR.
What’s new is that location data, behavioral data, financial information, even IP addresses are now part of this definition of personal data which falls under the GDPR. And it’s not limited to that, either. Health information, ethnic information and all other types of identifiable data falls under the GDPR. In short, if a piece of data can reveal something about an individual, then it can be classified as personal data. Even if that data is under a pseudonym, if that pseudonym can be then used to identify a particular individual.
Another important criteria is data processing. This is also part of the GDPR. According to the new Regulation, any sort of usage of this data, even if it’s just storing it, falls under the law. The official definition is quite long and broad: “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Whew. Quite the mouthful. Basically, just storing an email list or sending an email which contains personal data can be defined as data processing by the GDPR. This means that a lot of companies do not even realize their actions fall under the GDPR.
There’s another issue, too. Many companies are confused about what are the differences between the GDPR and the previous Directive from 1995. To be honest, lawyers are still working to iron out all of the differences and their ramifications. But there are some important differences that are already quite obvious.
Some of the main differences between GDPR and Directive 95/46/EC:
1. The definitions of personal data are much broader.
2. The scope of affected companies and organizations is also very broad and introduces the principle of extraterritoriality beyond the borders of the EU.
3. The GDPR expands and builds the individual rights. One of them is the right to be forgotten which came into effect a few years ago. Now individuals have several more rights like this one. Here they are:
• Right to be forgotten – individuals can request to any company to delete all data it has for that individual
• Right to object – individuals can prohibit certain uses of their data
• Right to rectification – individuals can request incomplete data sets or incorrect data sets to be completed or corrected
• Right of portability – individuals can request their personal data which has been stored by one company to be transferred to another
• Right of access – individuals have the right to know what data is collected, how it’s processed and how.
• Right to be notified – If a data beach occurs and it affects an individual’s personal data in anyway, this individual has a right to be informed within 72 hours of the organization first becoming aware from the breach. Authorities also have to be notified within that same time period.
Note: these rights cover EU citizens only
4. The GDPR also imposes strict consent requirements. This means that the personal data companies collect has to be collected with the proper consent from individuals. There’s another important detail: companies must obtain explicit consent for every type of usage for the personal data of an individual. It also means that companies will have to offer an opt-in for their users and subscribers for the data collection and processing.
Consent must be specific to each data usage. And very important: silence, i.e. no response, offering preticked boxes or inactivity does not mean consent has been given. Individuals must opt-in actively and explicitly. While that consent can be obtained for all actions at once, the description of these actions must be very clear and precise for each of them. In short, individuals should not be confused about what data is going to be collected, stored and how it will be processed.
5. There also stricter data processing rules to go along with the consent requirements. Individuals have to receive “fair and transparent” information about how their personal data is going to be processed. This means companies must provide contact details of the data controller. Companies have to also consider what data they are collecting, why and could they be able to give solid arguments to a regulator in the case of an inquiry.
Another important detail is that companies are not permitted to process personal data just because they want or can. They have to be able to provide a “legal basis” for this need. For example, because the data is the necessity to the performance of a service; the consent or request of a user and even what is the interest of the company in order to process this data.
There are many other details and criteria which could reflect differently on different companies and use cases. This is why it’s important to review the full GDPR on per case basis and understand if and how they apply to each company. Even if said company believes it doesn’t fall under the GDPR at all.
Next up, we get into detail with What Your Business Needs to Know About GDPR.