With the recent news on Cambridge Analytica and calls to #deleteFacebook, protecting people’s rights and freedoms in relation to their personal data and privacy is vital if companies want to retain consumer trust. If you’re doing business in the EU, whether you’re based in the European Union or not, you would have already heard about the looming GDPR deadline by now (50 days left!). If you haven’t already, you need to start with GDPR compliance today!
This road has many steps and each of them is equally important. But, don’t worry, we are here to guide you. As there is not one compliance approach that fits everyone, this guide helps you to better understand what the GDPR is and the core activities you will have to deal with. From this guide, you will then be able to tailor and implement these changes according to your company organization and business structure.
This post is the introduction to the GDPR in a series of seven posts:
- Understanding your responsibilities and obligations
- Six principles of processing personal data
- Data protection by design and default
- Data subject rights
- Data protection impact assessment and security measures for processing data
- Transfers of personal data to third countries
- Training your employees
Should you panic?
We said 50 days, and 50 days is a real short time-frame.
No you should not panic. Though you should take this seriously. Even if you are already on a GDPR journey, it will not end in 50 days. And if you are not, there are simple steps you can take to limit your exposure and liability. The EU regulators are not mad. Each country’s regulatory agency is not going to crack down on all websites on the 26th of May. Don’t expect black helicopters. This is a positive thing. More on that later.
What does the GDPR mean for businesses?
EU Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46 EC and it is coming into force on May 25th 2018. The aim of the GDPR is to protect EU citizens from privacy and data breaches.
The GDPR brings significant changes:
- Territorial scope has increased: The GDPR now applies to all companies and organizations processing the personal data of people residing in the Union, regardless of the company’s location
- Fines are significantly higher: €10,000,000 or, in case of an undertaking, 2% total worldwide annual turnover in the preceding financial year (whichever is greater) or €20,000,000 or, in case of an undertaking, 4% total worldwide annual turnover in the preceding financial year (whichever is higher)
- Conditions for consent have been expanded, as well as people’s rights (right to access, right to be forgotten)
- Privacy by design and by default became an important part of Regulation, as well as the appointment of a Data protection Officer (see Article 37)
We know, the terminology can be bewildering. “Undertaking” here means parent companies and subsidiaries. So not just the company operating a service but whatever the EU will consider to be the “global entity”. Hiding behind a Double Irish Sandwich with Dutch dressing – meaning creating a complex corporate structure to avoid taxes and liabilities like many large companies do – will no longer work.
Defining and Processing Personal Data
Before we discuss the various steps, it is important to understand what private data is, how you process and store it, for how long you need to retain it, and for what purposes.
The Regulation defines Personal Data as follows:
“Any information relating to an identified or identifiable natural person (‘data subject’) as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
GDPR also refers to special categories of data such as:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data for the purpose of uniquely identifying a natural person
- data concerning health
- data concerning a natural person's sex life or sexual orientation
The Regulation sees protecting personal data as a fundamental right and therefore sensitive types of data like the above should not be processed except under special conditions (Article 9 GDPR.) There is a paradigm shift where personal data is owned by the individual and the key objectives of the Regulation, as Troy Hunt said, it is to give citizens and residents back control of their personal data.
The EU doesn’t give companies a lot of wriggle room here. If a piece of information gives you a handle on a specific individual, this is “subject data”; an IP, a browser fingerprint, a photo. There is a lot of legalese but the GDPR is written so it covers future technologies, so don’t think that there is a “closed list” of items under the GDPR. If it is data that allows you to identify someone or that pertains to a potentially identifiable person, it is in scope.
Now that we have defined personal data, we will now discuss how GDPR impacts how you process, retain, and store data, i.e. its territorial and material scope.
The material scope of the GDPR applies to all personal data “that are processed wholly or partly by automated means and data which form part of a filing system or are intended to form part of a filing system.”
Out of the material scope are personal data:
- used in the course of an activity which falls outside the scope of EU law
- used in border checks, asylum, and immigration status
- used by a person for non-commercial and/or non-professional purposes
- used by authorities for the purposes of crime prevention, investigation, etc.
The territorial scope of the Regulation applies to all companies who process personal data of people who are in the EU regardless of their citizenship and where the processing takes place. Companies and organizations who are not in EU must still comply to the GDPR if they handle personal data as part of business transactions for goods/services in the EU or if they monitor the behavior of individuals within the EU.
The GDPR gives EU residents (and by extension a big chunk of the world’s population) new rights and it will take some time until the dust settles, the courts have not ruled on a single case. It may very possibly be a gamechanger for anyone having any digital presence (and who doesn’t?). So you both want, now, to be sure you are reducing your short-term risks and know what your exposure will be in 50 days... but also you will want to start integrating this to your longer term plans. This is an opportunity.
By our own culture Platform.sh was always privacy-minded. Part of our mission and our ambition is to level the playing field between actors such as Amazon, Facebook or Google and, well, anyone that is not Amazon, Facebook and Google. In a world where these are potentially competitors to just about anyone doing anything, from grocery stores to film studios, from charities to newspapers, being privacy-first can be a huge advantage.
Preparing for the GDPR can seem complicated when you don’t know where to start, which is why we created this guide. Check back for our next segment where we will talk about the different roles and responsibilities for people affected by the GDPR.