There is a lot of noise these days about this soon-to-be implemented EU regulation, the GDPR (General Data Protection Regulation), making the topic hard to miss — but how much do you understand about GDPR, and to what extent can it can impact your U.S.-based business?
What is this GDPR thing, and why should you care?
Adopted by the European Union on April 27th, 2016, and scheduled to become enforceable on May 25th, 2018, the GDPR is a regulation designed to greatly strengthen an EU citizen’s control over their own personal data. In addition, the regulation is meant to unify the myriad of regulations dealing with data protection and data privacy across member states. Finally, its reach also extends to the use and storage of data by entities outside of the EU (Spoiler Alert! This is the part that affects us).
Enforcement of the provisions within GDPR is done via severe penalties for non-compliance, with fines up to €20 million, or 4% of the worldwide annual revenue (whichever is greater). Now, as a non-EU entity, you may think that your company won’t be subject to these fines, but that is incorrect. As a U.S. company that collects or processes the personal data of EU citizens, the EU regulators have the authority and jurisprudence, with the aid of international law, to levy fines for non-compliance.
In addition, your EU-based clients can be held accountable for providing personal information to a non-compliant 3rd party (your company). This is strong incentive for EU-based citizens and companies to insist on working only with GDPR-compliant 3rd parties, costing your company all EU-based business.
As you will soon realize, the GDPR is a vast set of regulations, with a large scope and sharp teeth. I cannot possibly go into enough detail in a blog post to map out a roadmap towards compliance, and neither is that my goal. If that is what you are looking for in a blog post, well, maybe you shouldn’t be responsible for anyone’s personal data….
No, my intent here is to demonstrate the importance of the GDPR, hopefully convince you to take it seriously and start down the road to compliance, and finally to point you in the right direction to start your journey.
The expanding scope
The GDPR expands the definition of personal data in order to widen the scope of its protections, aiming to establish data protection as a right of all EU citizens.
The following types of data are examples of what will be considered personal data under the GDPR:
Does your company collect, store, use or process anything considered personal data related to an EU citizen by the GDPR? If you have any EU clients, customers, or even just market to anyone in the EU, it is unlikely you could avoid being subject to GDPR.
The EU is seeking to make data privacy for individuals a fundamental right, broken down into several more-precise rights:
- The right to be informed
- A key transparency issue of the GDPR
- Upon request, individuals must be informed about:
- The purpose for processing their personal data
- Retention periods for their personal data
- All 3rd parties with which the data is to be shared
- Privacy information must be provided at the time of collection
- Data collected from a source other than the individual extends this requirement to within one month
- Information must be provided in a clear and concise manner.
- The right of access
- Grants access to all personal data and supplementary information
- Includes confirmation that their data is being processed
- The right to rectification
- Grants the right to correct inaccurate or incomplete information
- The right to erasure
- Also known as “the right to be forgotten”
- Allows an individual to request the deletion of personal data when:
- The data is no longer needed under the reason it was originally collected
- Consent is withdrawn
- The data was unlawfully collected or processed
- The right to restrict processing
- This blocks processing of information, but still allows for its retention
- The right to data portability
- Allows an individual’s data to be moved, copied or transferred between IT environments in a safe and secure manner.
- Aimed to allow consumers access to services which can find better values, better understand understand spending habits, etc.
- The right to object
- Allows an individual to opt-out of various uses of their personal data, including:
- Direct marketing
- Processing for the purpose of research or statistics
- Allows an individual to opt-out of various uses of their personal data, including:
- Rights in relation to automated decision making and profiling
- Limits the use of automated decision making and profiling using collected data
Sprechen Sie GDPR?
Before diving deeper, it is important to understand some key terms used by the regulation.
The GDPR applies to what it calls “controllers” and “processors.” These terms are further defined as Data Controllers (DCs) and Data Processors (DPs). The GDPR applies differently in some areas to entities based upon their classification as either a DC or as a DP.
- A Controller is an entity which determines the purpose and means of processing personal data.
- A Processor is an entity which processes personal data on behalf of a controller.
What does it mean to process data? In this scope, it means:
- Obtaining, recording or holding data
- Carry out any operation on the data, including:
- Organization, adaptation or alteration of the data
- Retrieval, consultation or use of the data
- Transfer of data to other parties
- Sorting, combining or removal of the data
The Data Protection Officer, or DPO, is a role set up by the GDPR to:
- Inform and advise the organization about the steps needed to be in compliance
- Monitor the organization’s compliance with the regulations
- Be the primary point of contact for supervisory authorities
- Be an independent, adequately resourced expert in data protection
- Reports to the highest level of management, yet is not a part of the management team.
The GDPR requires a DPO to be appointed to any organization that is a public authority, or one that carries out certain types of processing activities, such as processing data relating to criminal convictions and offences.
Even if the appointment of a DPO for your organization is not deemed necessary by the GDPR, you may still elect to appoint one anyway. The DPO plays a key role in achieving and monitoring compliance, as well as following through on accountability obligations.
The Nitty Gritty
In addition to expanding the definition of personal data and providing individuals broad rights governing the use of that data, the GDPR provided a number of requirements for organizations requiring that data shall be:
“a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
— GDPR, Article 5
Additionally, Article 5 (2) states:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
This last piece, known as the accountability principle, states that it is your responsibility to demonstrate compliance. To do so, you must:
- Demonstrate relevant policies.
- Staff Training, Internal Audits, etc.
- Maintain documentation on processing activities
- Implement policies that support the protection of data
- Data minimisation
- A policy that encourages analysis of what data is needed for processing, and the removal of any excess data, or simply collecting only what is needed, and no more
- A process to make data neither anonymous, nor directly identifying
- Achieved by separating data from direct identifiers, making linkage to an identity impossible without additional data that is stored separately.
- Demonstration that personal data is processed in a transparent manner in relation to the data subject
- This obligation begins at data collection, and applies throughout the life cycle of processing that data
- Allow for the evolution of security features going forward.
- Security cannot be static when faced with a constant-evolving environment.
- Policies must be flexible enough to protect from not just today’s and yesterday’s threats, but from tomorrow’s.
- Data minimisation
The best laid plans…
Despite one’s adherence to these new policies, and implementation of tight security policies, there is no guarantee the data you are responsible for keeping safe will be absolutely secure. Data breaches are more or less inevitable. Being aware of this, the GDPR has provisions regarding the reporting of data breaches should (when) they happen.
A data breach is a broader term than one may think. Typically, the deliberate or accidental release of data to an outside party (say, a hacker) would be what one would consider a breach — and you would be right, it is a breach — but there is much more that can be considered a breach.
All of the following examples constitute a data breach:
- Access by an unauthorized third party
- Loss or theft of storage devices containing personal data
- Sending personal data to an incorrect recipient, whether intended or not
- Alteration of personal data without prior authorization
- Loss of availability, or corruption of personal data
Data breaches must be reported to the relevant supervisory authority within 72 hours of first detection. Should the breach be likely to result in risk to an individual, that individual must also be notified without delay. All breaches, reported or not, must be documented.
Bit off more than you can chew?
This may seem like a lot to take in, and it should be. The GDPR was designed to expand the privacy rights of all EU citizens, as well as replace the existing regulations of all member states with one, uniform set of regulations.
The good new is, as a U.S. company, you don’t have to take every step towards compliance alone.
The U.S. government, working with the EU, developed a framework to provide adequate protections for the transfer of EU personal data to the United States. This framework, called Privacy Shield, was adopted by the EU in 2016 and has passed its first annual review.
In order to participate in the Privacy Shield program, U.S. companies must:
- Self-certify compliance with the program
- Commit to process data only in accordance to the guidelines of Privacy Shield
- Be subject to the enforcement authority of either:
- The U.S. Federal Trade Commission
- The U.S. Department of Transportation
To learn more about Privacy Shield, visit www.privacyshield.gov
How I learned to stopped worrying and love the GDPR
Getting compliant with the GDPR may seem like a huge P.I.T.A., but there are real benefits to following this path that extend beyond retaining EU contracts and avoiding hefty fines. Data privacy is a huge issue world-wide, and being compliant with one of the strictest sets of regulations will help appease clients and customers from all corners of the globe. Even if you don’t have any interaction with EU citizens or organizations, becoming GDPR compliant may still be a great idea.
Compliance forces you to evaluate your systems and processes, ensuring that they are secure and robust enough to survive in the ever-changing landscape in which data privacy resides. This transforms compliance from a tedious duty to a strong selling point.