On 25 May 2018, GDPR or General Protection Regulation came into force in the EU (after a 2-year adoption period spurred in 2016). It was created with the purpose of coordinating data privacy laws across Europe.
At a glance, the Regulation describes itself as a revitalized means of protection for personal data.
Personal data means data relating to a living individual who can be identified either from the data or from the data in conjunction with other information. Moreover, the Regulation implements new principles in relation to treatment, collection, and portability of data.
In the context of GDPR, the key characters are data controllers and data processors. A data controller is the party that determines the purpose and the means of processing personal data. The processor is the party that processes personal data on behalf of the controller.
Previously, the personal data that was protected under prior regulations (Data Protection Directive 95/46/EC) simply consisted of the users’ phone numbers, emails, zip codes, and purchase history. But under the new set of regulations, in addition to the above-mentioned data, information like content preferences, online behavior, age, genetic markers, mental or physical health, cultural and political affiliations, economic status, and social network information are going to be protected as well.
The overall territorial scope of the GDPR is larger than the currently legislated DPD. In fact, it encompasses non-EU based businesses that market their products to Europeans, or who monitor the behavior of Europeans. In other words, If your business or organization is not in the EU but caters to European residents, you’re not off the hook yet! It’s likely that GDPR will still apply to you.
Here, we will introduce the main elements of the regulation.
A critical part of GDPR is concerning an organization’s responsibility to be transparent.
The so-called “right to be informed” includes organization’s obligation to provide “fair processing information”; typically through a privacy notice. It emphasizes the need for transparency on how you plan to use personal data.
You must clearly state to our customers what data we wish to take from them, how we will be handling it (i.e. protecting it), and what we intend to do with this information. In order to schematize the “right to be informed” and related transparency obligation, the processing of personal data must be:
• Concise, transparent, intelligible and easily accessible;
• Written in clear and plain language, particularly if addressed to a child; and free of charge.
In that same vein, consent will be required before a company can use or process any personal data. In the past, for users to opt-in, they would simply be required to click an affirmative statement of some sort.
Now, you are obligated to ask users for explicit consent. You must also define their preferences; regarding frequency, topics covered, and so on. Furthermore, consent must be verifiable, meaning that some form of record must be kept of how and when consent was given.
Finally, Individuals have the right to withdraw consent at any time.
Age of Consent
GDPR requires that organizations pay close attention to the age of their users. Individuals under the age of 16 must provide parental consent. Stakeholders must take reasonable measures in order to verify that consent is coming from the parents.
In this case, it may be helpful to review Article 8 to further learn about how certain organizations can comply with the lower requirement of the age of 13.
Moreover, the GDPR strengthens the significance of protecting children’s personal information, as used for the purposes of marketing and creating online profiles.
This is the ability for users to obtain their personal data for their own purposes.
As stipulated under Article 20, users also have the right to request that personal data is transmitted directly from one controller to another (when feasible). The essence here is that data must be produced and kept in a way that is compatible with other systems.
You must provide the personal data, free of charge, in a structured, commonly used and machine-readable form so that software can extract specific elements of the data.
Finally, users can now also simply request that any information should be deleted from the system. This is called “the right to erasure”, or “the right to be forgotten”.
Privacy by Default
The idea of building digital systems in order to include privacy by default (and design) is also featured in the Regulation. Fundamentally, user privacy is to be considered at the root of the system as it is being modified or built.
Under the GDPR, organizations have a general obligation to execute technical and organizational measures in order to show that they have integrated the implementation of data protection within their processing activities.
Privacy settings should be set to their highest possible level by default, allowing a user to tone it down if they wish.
Organizations have to implement several measures (including pseudonymisation) that meet the principles of data protection by design and data protection by default.
Under GDPR, pseudonymization is a recommended process in order to separate data from the subject. A solution for this may be using a reference ID for someone’s data rather than their name while storing their information.
Companies should have a whole other database of names and their corresponding reference ID on a totally separate system to later make sense of the data.
In the advent of this regulation, it’s a given that controllers and processors must review all privacy notices, statements, and internal data policies to ensure compliance.
Of course, if a controller works with third-party processors (like VBOUT for instance), they must make sure that these processors intend to respect changes in regulation as well. On the other end, processors should look at what modifications will be required to their customer contracts as well.
First, GDPR requires that organizations have a suitable process in place, in the event of a data breach.
The GDPR introduces a duty on all organizations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals affected.
Depending on how the breach actually occurred, and it’s overall severity, you have a legal obligation to report the data breach within a maximum of 72 hours! Certainly, all organizations have to make sure that their staff understands what constitutes a data breach, and that this is more than a loss of personal data.
It is important to note that the fines have increased dramatically under GDPR. Non-compliance with GDPR can result in 4% of the organization’s annual turnover and can be up to 20 million Euros (whichever is higher)!