The EU’s new General Data Protection Regulation – better known as GDPR – is now in force. Revolutionizing the data privacy landscape not just in Europe but across the world, GDPR gives individuals greater control and transparency over their personal data. For businesses, it means the bar has been significantly raised for achieving lawful processing of personal information.
The main objective of GDPR is simple enough to grasp – to give greater data protection rights to individuals across Europe. It also serves to harmonize data protection laws across all member states on the European continent.
However, it’s not just European businesses that need to be paying attention. Indeed, it doesn’t matter whether or not your organization actually resides within the EU itself. What matters is whether or not your organization does business with people or other organizations which are in the EU, or if your organization handles data that is at all concerned with EU residents.
GDPR is part of the reason why, for instance, Facebook began asking users to review privacy settings (another, of course, was the Cambridge Analytica data scandal, but that, frankly, is incidental), covering things like whether advertisers can target them based on political and religious views. Even though Facebook is a US company, GDPR affects how it operates in other countries, because its users are connected globally.
The long and the short of it is that any company with an online presence that markets its products or services over the web – no matter where in the world it is – needs to be GDPR-compliant in order to avoid the heavy fines and sanctions imposed by the Regulation.
Still confused about GDPR? Here’s our quick Q+A to get you up-to-speed on the basics.
When Did the GDPR Come into Effect?
Initially approved and adopted by the EU Parliament in April 2016, there then ensued a two-year transition period to give organizations time to adjust and update their policies and procedures. GDPR came into force on 25th May 2018, and has applied to organizations across the world since that date.
Who Is Affected by the GDPR?
GDPR applies to almost every organization. Regardless of your company’s location, if you control or process data relating to EU residents – be they customers or your own staff – you now have to do so in a way that complies with the Regulation.
Depending on your organization’s role in collecting or processing that data, the GDPR will view it as either a “data controller” or a “data processor”.
What’s the Difference Between a Data Controller and a Data Processor?
A data controller defines the terms – i.e. the how and why – of data processing. In other words, the controller determines the purposes and means of processing personal data. However, controllers don’t necessarily carry out these activities themselves. Rather, they might contract a third party to collect and process the data – essentially telling them how to do it, and for what purposes.
A data processor, on the other hand, is the third party that performs the actual data collection and processing on behalf of the controller. In practice, this means that a controller could be any organization from a small-time ecommerce retailer to a global manufacturing giant, while the processer could be the IT services firm the controller employs.
Data controllers must ensure that any data processors under their employment comply with GDPR, while processors must maintain records or their processing activities to prove they are in full compliance with the rules. If a processor breaches the Regulation, it must notify its controller immediately – though the controller still remains liable for financial penalties if their processor falls foul of the rules.
What Are the Penalties for Non-Compliance?
Huge. In fact, let’s not beat about the bush here – they are seriously huge.
Are you sitting comfortably? The penalty for infringement of articles 5, 6, 7 and 9 of GDPR is an eye-watering fine of up to €20 million or 4% of turnover – whichever is greater. The penalty for infringement of articles 8, 11, 25-39, 42 and 43 is a fine of up to €10 million or 2% of turnover – whichever is greater.
(Image source: computerweekly.com)
However, the regulation does make it clear that fines must be “proportional”, and therefore you’re unlikely to face the most severe penalties for a minor breach. Nonetheless, with such astronomical figures on the table, it’s best to play it safe and ensure your organization is up-to-date and compliant.
What Constitutes “Personal Data”?
Any information relating to an identifiable person who can be either directly or indirectly identified by reference to an identifier. Identifiers include names, identification numbers, or location data.
Online identifiers – such as IP addresses – also qualify as personal data. Other data like economic, cultural or mental health information are also considered to be personally-identifiable information. Even pseudonymous personal data may also be subject to GDPR rules, depending on how easy it is to identify whose data it is.
How Do Organizations Get Consent Under GDPR?
Data can still be collected and processed under GDPR, but explicit consent must be obtained from the data subject (i.e. the individual whom the data concerns) in order to do so.
Consent must be given as an active, affirmative action by the data subject, as opposed to the “passive acceptance” under some data collection models that previously allowed for pre-ticked boxes or opt-outs. To use the words of the legislation, consent must be “freely given, specific, informed, and unambiguous” and be signified “by a statement or by a clear affirmative action”.
However, an “affirmative action” can include ticking a box to express consent. Essentially, it’s the action that makes the difference – unless users take a specific action to opt-in to having their data collected and processed, it must be assumed that they have opted out.
The following infographic from foiman.com illustrates consent requirements under the new Regulation clearly.
(Image source: foiman.com)
What’s the “Right to Be Forgotten?”
Data subjects retain the right to withdraw consent at any time, with the caveat that it should be as easy to withdraw consent as it is to give it. They don’t need to give a reason to withdraw their consent – if an individual no longer wants his/her data collected and processed, that is their right under GDPR.
What’s more, the Regulation makes it clear that data subjects can have their data deleted at any time. It is the responsibility of the data controller to tell other organizations that an individual is exercising his/her right to be forgotten, and that all copies of their data – and any links to it – must be deleted.
What About Data Breaches?
GDPR defines a data breach as a “breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.”
Under the Regulation, organizations have 72 hours to notify their local DPA (Data Protection Authority) that a breach has occurred. Data controllers are required to report breaches to the authority themselves, while data processors must report them to their controllers.
Over to You
GDPR has been in force for some months now, so if you have missed the deadline for compliance, it’s imperative that your organization acts quickly. In fact, your current data collection processes need to be looked at as an immediate priority so that your company doesn’t risk non-compliance penalties.
None of this is optional, and companies all over the globe – especially those with a strong online presence – need to be changing practices now, and not waiting to become headline-fodder at some point down the road.