With the recent news on Cambridge Analytica and calls to #deleteFacebook, protecting people’s rights and freedoms in relation to their personal data and privacy is vital if companies want to retain consumer trust. If you’re doing business in the EU, whether you’re based in the European Union or not, you would have already heard about the looming GDPR deadline by now (50 days left!). If you haven’t already, you need to start with GDPR compliance today!
This road has many steps and each of them is equally important. But, don’t worry, we are here to guide you. As there is not one compliance approach that fits everyone, this guide helps you to better understand what the GDPR is and the core activities you will have to deal with. From this guide, you will then be able to tailor and implement these changes according to your company organization and business structure.
This post is the introduction to the GDPR in a series of seven posts:
We said 50 days, and 50 days is a real short time-frame.
No you should not panic. Though you should take this seriously. Even if you are already on a GDPR journey, it will not end in 50 days. And if you are not, there are simple steps you can take to limit your exposure and liability. The EU regulators are not mad. Each country’s regulatory agency is not going to crack down on all websites on the 26th of May. Don’t expect black helicopters. This is a positive thing. More on that later.
EU Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46 EC and it is coming into force on May 25th 2018. The aim of the GDPR is to protect EU citizens from privacy and data breaches.
The GDPR brings significant changes:
We know, the terminology can be bewildering. “Undertaking” here means parent companies and subsidiaries. So not just the company operating a service but whatever the EU will consider to be the “global entity”. Hiding behind a Double Irish Sandwich with Dutch dressing – meaning creating a complex corporate structure to avoid taxes and liabilities like many large companies do – will no longer work.
Before we discuss the various steps, it is important to understand what private data is, how you process and store it, for how long you need to retain it, and for what purposes.
The Regulation defines Personal Data as follows:
“Any information relating to an identified or identifiable natural person (‘data subject’) as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
GDPR also refers to special categories of data such as:
The Regulation sees protecting personal data as a fundamental right and therefore sensitive types of data like the above should not be processed except under special conditions (Article 9 GDPR.) There is a paradigm shift where personal data is owned by the individual and the key objectives of the Regulation, as Troy Hunt said, it is to give citizens and residents back control of their personal data.
The EU doesn’t give companies a lot of wriggle room here. If a piece of information gives you a handle on a specific individual, this is “subject data”; an IP, a browser fingerprint, a photo. There is a lot of legalese but the GDPR is written so it covers future technologies, so don’t think that there is a “closed list” of items under the GDPR. If it is data that allows you to identify someone or that pertains to a potentially identifiable person, it is in scope.
Now that we have defined personal data, we will now discuss how GDPR impacts how you process, retain, and store data, i.e. its territorial and material scope.
The material scope of the GDPR applies to all personal data “that are processed wholly or partly by automated means and data which form part of a filing system or are intended to form part of a filing system.”
Out of the material scope are personal data:
The territorial scope of the Regulation applies to all companies who process personal data of people who are in the EU regardless of their citizenship and where the processing takes place. Companies and organizations who are not in EU must still comply to the GDPR if they handle personal data as part of business transactions for goods/services in the EU or if they monitor the behavior of individuals within the EU.
The GDPR gives EU residents (and by extension a big chunk of the world’s population) new rights and it will take some time until the dust settles, the courts have not ruled on a single case. It may very possibly be a gamechanger for anyone having any digital presence (and who doesn’t?). So you both want, now, to be sure you are reducing your short-term risks and know what your exposure will be in 50 days... but also you will want to start integrating this to your longer term plans. This is an opportunity.
By our own culture Platform.sh was always privacy-minded. Part of our mission and our ambition is to level the playing field between actors such as Amazon, Facebook or Google and, well, anyone that is not Amazon, Facebook and Google. In a world where these are potentially competitors to just about anyone doing anything, from grocery stores to film studios, from charities to newspapers, being privacy-first can be a huge advantage.
Preparing for the GDPR can seem complicated when you don’t know where to start, which is why we created this guide. Check back for our next segment where we will talk about the different roles and responsibilities for people affected by the GDPR.