— April 27, 2018
This article does not constitute legal advice, nor is this information intended to create or rise to the level of an attorney-client relationship. You should always seek professional legal advice where appropriate.
Learn how to get ready for GDPR with our Ultimate GDPR Overview on the General Data Protection Regulation (GDPR) and your business ecosystem.
The General Data Protection Regulation, adopted April 27, 2016, takes effect for the rest of the world, including the United States, on May 25, 2018. GDPR is a comprehensive data protection regulation that aims to provide EU citizens and residents with greater digital privacy rights. The new regulation replaces the less harmonized 1995 Data Protection Directive. GDPR mandates compliance from any company or organization with EU customers, partners or vendors.
Who Does It Affect & Where?
The General Data Protection Regulation affects companies of all sizes once the storage or processing of EU personal data is involved. You should begin GDPR compliance if you have or will have EU member data stored or processed through your website or database. This includes things like the cloud, newsletter opt-in forms and other marketing communications tools. Public entities such as law enforcement may be exempt from the Data Protection Officer requirement.
Who In My Company Is Responsible?
The GDPR requires that you hire a Data Protection Officer in addition to current IT or cybersecurity roles present only if your organization falls into any of the three categories: (a) public authorities, (b) organizations that engage in large-scale systematic monitoring, or (c) organizations that engage in large-scale processing of sensitive personal data.
When it comes to larger organizations, there are a few roles which the GDPR defines as being responsible; data controller, data processor, and the data protection officer (DPO)
EUGDPR.org defines the difference between a controller and data processor as the following: a controller is an entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
What Is Considered Personal Data?
The EU has upgraded its definition of personal data to include what was defined in the Data Protection Directive as well as some additional terms that reflect newer types of data being collected. This includes everything under the sun from medical information, IP addresses, sexual orientation, social media posts, email addresses, bank details and more.
Pseudonymised personal data is the process of replacing the most identifiable data with artificial data. It is often possible to still identify the subject by analyzing additional coinciding data. For this reason, certain types of pseudonymization may still be subject to GDPR rules.
What Are The Penalties?
Non-compliance can cost companies up 20 million Euros or up to 4 percent of their annual global turnover, whichever is greater. If there are multiple infractions then the fine can exceed beyond this.
The General Data Protection Regulation replaces the EU’s 1995 Data Protection Directive. The directive was introduced at a time when consumer data processing was less sophisticated. GDPR addresses the growing concern about data processing and usage. The fact that it is not a directive makes it directly binding and effective without needing to be enforced by national government legislation. Data privacy discussions have become a hot topic in the media, such as the Cambridge Analytica Incident where 50 million people did not give consent for their data to be harvested. These cases further establish why the EU is taking strong measures to ensure their citizens have greater control over data. According to recent surveys (Page Fair, SAS) completed, concerning data privacy over 80% of data subjects claimed to have never given consent. In addition, the EU claims that by creating a set of global rules international companies should find it easier to navigate data privacy.
How Do I Kickstart GDPR Compliance?
You should kickstart GDPR compliance by creating a GDPR readiness plan that involves checks and balances on awareness and implementation. A few considerations are as follows:
- Raise awareness and contact your lawyer. This is probably the best first step you can take to ensure compliance. Informing your company is essential in getting them up to speed on GDPR requirements. Bringing in legal teams also minimizes your risk of non-compliance.
- Perform a data audit that explores your information mapping systems. Your organization needs to be accountable for where the data comes from, how it is being used, where the consent was provided, whether consent clarity and segmentation is apparent and more. Other questions to focus on during the audit include:
- Why do we store this data?
- Where do we store this data and what safety measures do we have in place?
- Who do we share personal data with?
- How long should data be kept for?
- Easy opt out and complaint links aka the right to be forgotten
- Who is controlling and processing their data (data controller and DPO)
- Maximum time their data is kept
- Who will receive the data and what happens to it