The General Data Protection Regulation (GDPR)

So just what is GDPR, exactly? Among many things, it is likely a topical new acronym if you are a business owner, work in IT or marketing, or handle customer or employee data at all. The General Data Protection Regulation (GDPR) is a European legislation that came into effect on the 25th of May, 2018, and now governs how businesses are able to gather, process, store and share the personal data of any European citizen.

The legislation is intended to bring data protection rules in Europe up-to-date with the strides in technology and the drastically different ways businesses leverage customer and other data today. It is designed to provide private individuals with more power and control over when, where and how their personal data is used by companies, and create a set of unified rules by which organizations (yours included if you operate globally) must comply. And there are real ‘teeth’ to this legislation. Failure to comply can result in fines equivalent to 4% of global revenue from the preceding fiscal year, or €20 million — whichever is greater!!

Does GDPR Affect My Business?

While it was crafted in Europe, this new legislation represents a significant shake-up to data protection laws that companies and employees around the world need to be aware of. GDPR not only has an immediate effect on companies registered within the EU, but also on any company which handles personal data collected in the EU. Importantly, the legislation applies when personal data is obtained from ANY individual who is located within an EU member state at the time of collection.

Even if your organization is a Software-as-a-Service (SaaS) business, all personal data collected within the EU must be protected in accordance with the GDPR. Regardless of whether or not your customer or contact ‘opted in’ to the collection of that data, and regardless of where your servers are located. There are actually additional stipulations if you are transmitting/storing the data outside the EU.

Given the severity of the fines, it is not wise to be noncompliant. And thinking that “We don’t do business in Europe anyway, so why worry?” is being near-sighted. In addition to the mobility of contacts today, this legislation is setting precedents that are already being followed in other jurisdictions (more on that later in this issue of Q).

What Do I Need to Know Next?

The next impacts of GDPR relate to how you and your company will be classified under the new laws. Two key terms have been introduced — a data “Controller” and a data “Processor”. Any individual or firm that decides how and to what end personal data is collected and processed is considered a data Controller. Any individual or firm that does not control how or why personal data is collected, but DOES work with personal data on behalf of another individual or organization is considered to be a data Processor. An example of the latter would be an organization that operates as part of a supply chain or is partnered with another organization which performs the tasks of a data Controller.

What Does This Mean?

Data Controllers are required to keep specific records of all personal data that is collected and processed, and ensure that, among other rights, customers are provided prompt and straightforward access to any of their stored data. These responsibilities remain ‘upstream’, so to speak, in that a Controller is not relieved of any obligations in cases where a separate data Processor is handling the data. Translation — third-party liability is a concern when partners are processing customer or personal data.

What Data Qualifies as “Personal”?

Under GDPR, “personal data” is defined as any piece of information associated with or that can be linked to an identifiable person. This can include but is not limited to:

  • Name
  • Email address
  • IP address
  • Username
  • Location data
  • Payment information
  • Photo
  • Video
  • Medical data
  • Other

Simply put, if a data record can be used to identify someone then all data associated with that record is considered personal data.

We Handle a Lot of Customer Data — What are the Implications for Us?

If this is true of your organization, you need to develop a comprehensive data management policy that documents specifically how all that data will be handled, especially when dealing with partners or supply chains. Some large organizations will need to appoint a Data Protection Officer to provide oversight and accountability for the necessary processes.
This will be particularly important if your organization conducts data processing operations as described in Articles 9 and 10 of the GDPR. These activities now require regular and systematic monitoring of all data subjects (end users). And any time a security breach having potential privacy implications is detected, it is now mandatory that relevant regulatory authorities and all individuals affected be notified within 72 hours.

What is the Objective of All this New Oversight?

Fundamentally the GDPR is designed to increase the data privacy rights of EU citizens. It provides significant new protections against organizations using any personal data in unwanted ways. One of the individual benefits is the requirement for companies to now state clearly the terms and conditions under which they intend to use all personal data. No longer will the company be able to consider a hurried ‘click’ on a 75-page Terms and Conditions web document as an indication of customer consent to all the fine print it includes. Companies are now allowed just a single page to express their data usage intent clearly.
Other key Rights provided for under the GDPR include:

  • The Right to be Informed – individuals are entitled to full disclosure regarding how each company will use their personal data.
  • The Right of Access – individuals are entitled to unfettered access to any personal data that is being captured and processed, as well as any supplementary information.
  • The Right to Rectification – individuals are entitled to have personal data updated whenever inaccurate or incomplete.
  • The Right to Erasure– also known as the “right to be forgotten”, individuals can request that all personal data be deleted from all company databases when there is no reason for its continued processing.
  • The Right to Restrict Processing – individuals may block or suppress the processing of their data as desired.
  • The Right to Data Portability – individuals may obtain any personal data that has been captured and reuse it for their own purposes across different service providers (e.g., they can change banks and ask the current institution to simply transfer all existing personal data over to the new one).
  • The Right to Object – individuals are able to contest any automated processing of data that is inconsistent with their personal and legitimate interests (e.g., performing public service tasks).

What Should I do Next?

Information security is a business necessity. GDPR and future legislation will demand tighter controls and policies to remain compliant. Some will require disciplined education or increased awareness of the risks for staff across an organization. It is incumbent on each company to ensure they remain current with the evolving rules of play in each of their markets.

Some immediate steps for companies to take include rethinking exactly what data they really need to collect from customers, and presenting to those customers in simple terms what they intend to do with that data. Companies also need to start keeping records, separate and apart from any standard Terms and Conditions, that prove each current and new user gave consent to the use of their data.

Gaining a more complete understanding of the individual Rights listed above will point to other next steps. And there is now a wealth of information available on the Internet. Most companies should be well down this education and deployment path by now, but if not, do not wait any longer. As noted earlier, the penalties for non-compliance are NOT trivial …