Technological advancement has a downside. It’s called the lack of privacy. Every time we go online – whether it is to open an account, participate in a survey, download a resource, or just about anything else, businesses collect data about us. More often than we like, this data makes its way to other companies - the likes of advertisers, data analytic groups, etc. As users of the Internet we may not like companies collecting data on us, but short of staying away from the internet completely (which is near-impossible), it’s the reality of living in a digital world!
On May 25th, 2018, however, when the European Union’s General Data Protection Regulation (GDPR) comes into effect the world will take a giant step towards enforcing more stringent, water-tight privacy and data protection laws. A flagship piece of legislation, it will pave the way for better data protection practices by putting it at the forefront of business agendas worldwide and establishing one single set of data protection rules across the Europe Union. While the law will impact EU-based businesses, no organization that operates globally or collects data from a European citizen will stay unaffected either. Compliance is mandatory, and the penalties are severe. Therefore, it is essential that businesses start taking the appropriate steps to get GDPR-ready sooner than later.
The first step towards compliance is understanding the law itself. So let’s begin with taking a closer look at the highlights of this soon-to-be-enforced law.
GDPR Replaces the Current Data Protection Directive
It took the European Union (EU) four years of intense debate and deliberations to replace the two-decade-old legislation, the Data Protection Directive 95/46/EC. The current legislation was open to interpretation by individual countries in the EU. Therefore each member state that operated under the 1995 data protection regulation had its national laws regarding data protection. GDPR will end that. Designed to protect personal data and privacy of EU citizens for transactions within the 28 EU member states, the GDPR will also regulate the exportation of personal data outside the EU. This calls for all organizations that operate out of the EU, but markets their products to European citizens, or monitors the behavior of people in the EU, to be GDPR-ready by the end of May 2018. In other words, if you collect or plan to collect data from individuals in Europe (regardless of your business location), you’ll have to “implement appropriate technical and organizational measures” to become compliant before May 25th.
Main Elements of GDPR
The GDPR itself contains 11 chapters and 99 articles in total. It specifies the principles regarding personal data processing, the lawfulness of personal data processing, and the conditions for consent regarding personal data processing (including consent of children). It also sets down conditions for the processing of special categories of personal data (sensitive data, genetic data, and biometric data) and processing of personal data in relationship with criminal convictions and offenses. If you want to details on the topics covered in each chapter, you can visit the official GDPR site. However, as a useful summary, here are some of the key elements of this law that we have sourced from the official PDF of the General Data Protection Regulation:
Consent: GDPR makes consent a bit closer to being genuine consent. It must be “freely given,” and organizations must be able to clearly show how and when they obtained this consent.
Right to be informed: When an organization requests an individual for data, they will have to provide, in clearly, and free of charge information regarding its identity, contact details, the purpose that they’re collecting data for, how the information will be used, how long the data will be stored for, and whether the data will be transferred internationally.
Right of access: This gives individuals or data subjects the ability to request and access information from an organization about how their data is being processed. If they request for details, the organization must be able to provide a copy of the information free of charge within one month. However, the organization can charge a ‘reasonable fee’ if a request is found to be unfounded, excessive, or repetitive.
Right to rectification: If an individual demands that inaccurate information that has been collected from them is corrected by an organization, the latter has to comply without delay.
Right to erasure: If an individual withdraws consent, they can tell the company to stop using their personal data once they close their accounts. This is an extension of the “right to be forgotten” that existed earlier. If the data is no longer required for the reasons for which it was collected, the company will need to erase it. There are extra requirements when the request for erasure relates to children’s personal data. The law does list some conditions when some organizations can keep data for a longer period. In addition, GDPR makes exceptions for instances where the data is being processed to serve the public interest.
Right to restrict processing: Individuals have a right to ‘block’ or suppress processing of personal data if they think it is inaccurate or has been procured unlawfully. The organization is bound to verify the accuracy of the data or restrict usage as required. Also, the organization has to inform the individual once the restriction on the processing is lifted.
Right to data portability: This allows an individual to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
Right to object: If an individual requests to know whether their data is being processed for the benefit of public interest or other “legitimate” interests, an organization will have to demonstrate compelling grounds for processing in the name of these interests. This section also gives individuals the right to restrict the processing of their data for direct marketing.
Controller and Processor: GDPR defines their role and responsibilities in detail. It considers the controller as the principal party for responsibilities such as collecting consent for gathering or storing an individual’s data, managing consent-revoking, enabling the right to access, etc. The processor, on the other hand, could be a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller. Both controller and processor must keep detailed records of their data, and provide them to the “supervisory authority” upon request. The GDPR also lays down conditions about how contractual relationships between controllers and processors must be constructed to ensure compliance.
Data Protection Officer (DPO): In some cases, an organization may need to appoint a Data Protection Officer who will advise the controller or processor and data processing employees on GDPR requirements, train staff in privacy practice, monitor compliance in processing operations, and more.
Notification of a data breach: Organizations have to report any security breach “leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.” If there is a personal data breach, the company must notify the appropriate supervisory authority within 72 hours of becoming aware of it.
Fines and Penalties: GDPR gives individuals better control over their personal data. It will also levy harsh penalties on any business that flouts its data privacy regulations. In fact, one of the biggest, and most talked about elements of the GDPR is the penalties involved in non-compliance and violation. Let’s discuss them in detail.
GDPR Fines and Penalties
These are much larger than the penalties levied now. Under the GRDP, if an organization doesn't process an individual's data in the correct way, it can be fined. If it requires, but doesn't have a Data Protection Officer, it can be fined. If there's a security breach, it can be fined. However, the regulators do mention that they will more lenient with companies that have shown an awareness of the GDPR and tried to implement it when compared to those that haven’t made an effort at all.
A company that is found to be non-compliant or violating its record-keeping, security, breach notification, and privacy impact assessment obligations will be fined €10 million or 2% of its global gross turnover, whichever is greater.
A company that violates obligations related to the legal justification for processing, lack of consent, data subject rights and cross-border data transfers, will have to shell out double, in the form of €20 million or 4% of its total global gross turnover.
In other words, the days of flouting local privacy laws and shrugging of smaller fines are over! It will be vital that companies take appropriate technical and organizational measures to detect, handle and report a violation.
How to Prepare Your Business for GDPR
At WSI, we’ve made available a simple checklist of the 12 steps you need to take to get your organization ready for GDPR compliance. This checklist has been sourced from the ICO’s (Information Commissioner’s Office) guide on Preparing for the General Data Protection Regulation.
In this checklist, we take you from the first step of making the key people in your company aware of the new law, its main features, and the impact it’s going to have. We also recommend other steps that your business has to consider like appropriately documenting data, reviewing and updating your current data collection procedures, and reviewing how you seek, record and manage consent.
When implemented, GDPR will have a varying impact on businesses and organizations. Some companies (though not all) may need the services of a Data Protection Officer (DPO) who will act as a focal point for ongoing data protection activities for their company. The Data Protection Officer (DPO) will influence the senior decision-making process to contact regulators, maintain adequate privacy awareness in the organization, monitor compliance with GDPR, and improve privacy and data protection.
Companies must hire a DPO if they do any of the following:
- Employ over 250 people
- Process or store large amounts of EU citizen personal data
- Process or store special personal data
- Regularly monitor data subjects
- Are a public authority
The GDPR will affect organizations in many ways, beyond data security and policies. Businesses that will be impacted must seek help or legal counsel if required. At the very least, they need a clear plan of action that includes training on GDPR, revisiting their data flows and processing mechanisms, previewing their privacy practices and policies, the way they leverage third-party data and more. To get started on becoming GDPR-ready, we invite you to download our “12-Point Checklist to Help Prepare Your Organisation for GDPR" by clicking here.
Disclaimer: Please note that in this blog, we have provided basic information regarding the GDPR. WSI is not a legal authority for GDPR and can only offer advice on the best practices to follow while carrying out any digital marketing initiative. However, for advice regarding the legal interpretation of this law for your business, please approach a legal or data protection official.