What is the GDPR?
GDPR is an EU law with mandatory rules for how organisations and companies must use personal data in an integrity friendly way. Personal data means any information which, directly or indirectly, could identify a living person. Name, phone number, and address are schoolbook examples of personal data. Interests, information about past purchases, health, and online behaviour is also considered personal data as it could identify a person.
Processing data means collecting, structuring, organizing, using, storing, sharing, disclosing, erasing and destruction of data. Each organization that processes personal data (which is every organization with employees and customers) must ensure that the personal data it uses fulfils the requirements of the GDPR. In a nutshell, the main requirements of the GDPR are as follows:
- New to the GDPR: Same law throughout Europe. The GDPR applies in all EU Member states, which makes it easier for both businesses and citizens.
- Use personal data must in line with integrity friendly principles. For example, processing must have a defined purpose. Thus, you cannot collect personal information “just in case” you might need it later. Be honest, open and transparent about how you use data. That is to say, individuals have a right to know how their data is being used, and they must have a say in this matter. Organisations must only store personal data as long as it is necessary. Additionally, the processing must be safe and secure. Organisations must have and maintain the proper documentation that shows that they comply with the regulations.
- Use of personal data must be legal. The GDPR sets out six alternatives to the legal basis (for example consent or contract). If your processing is not based on any of those, it is not lawful. It might be necessary to process personal data for the performance of a contract. It could also be necessary to use personal data to prevent fraud and perform marketing.
- Use of personal data must be respectful to the individuals’ rights. The GDPR provides each person with certain rights of their personal data. They have the right to gain access to their personal data. They have a right to know how an organization is using the data, to object to the processing, etc.
- New to the GDPR: Personal data breaches must be reported within 72 hours. If personal data is disclosed, accessed, changed or stolen you are responsible to act. This even if the breach happened at one of your suppliers. If you can determine that no personal data was risked then it is probably not an event that must be reported. In the event of loss of sensitive data, such as health or financial data, the incident must be reported to the authority and each affected individual within 72 hours.
- New to the GDPR: Businesses are responsible for their suppliers. The new law introduces obligations on the controller to contractually regulate that its suppliers follow the data protection obligations. If the supplier should put data at risk the controller will be responsible.
- New to the GDPR: The size of the sanctions are significant. Organisations that violate the law may face sanctions of up to the higher amount of 4% of their global sales (the last 12 months) or € 20 million.
Why the need for the GDPR?
Personal data is valuable; there are no two ways about it. Data makes it possible to develop business models, gain an understanding of its customers, conduct effective marketing campaigns and develop its products and services. But just as for many other assets, there is a need for responsible use based on common rules. The last few years we have seen headlines of personal data breaches and scandals from Facebook, eBay, Equifax and Uber. Hundreds of millions of individuals’ personal information (social security numbers, addresses, credit scores, etc.) were compromised. The GDPR not only clearly states that an individual’s personal data belongs to the individual; it also threatens to impose substantial fines for companies not following the rules. In Europe, privacy and data protection are considered vital components for a sustainable democracy. The GDPR is designed to safeguard these prerequisites and is an upgrade of the past EU data protection directive.
The main practical implications
The summary of the GDPR is that the law establishes obligations for businesses and provides rights for citizens. Businesses are wise to update or establish their data protection compliance programme. Here are some examples of to-dos:
- Inform citizens and customers of your activities in a transparent manner. The individuals whose personal data you process (data subjects) must be informed of your processing. To this end, organisations use Privacy Notices and various Privacy Policies on websites, as part of service agreements etc.
- Assign a Data Protection Officer (DPO) to your organisation who should work as the main operator and the expert on your organisations’ privacy work. The DPO should be reported to the responsible data protection authority in the country your organisation is established. The rules regarding DPO is stated in article 37-39 GDPR.
- Manage the citizens’ and individuals’ rights efficiently. If a data subject contacts you to exercise their rights under the GDPR, which are many, you must be able to act quickly. The data subject has the right to access its personal data and receive a record of the data you hold, to have the data corrected in case of errors, to have the data deleted if certain criteria are met, to have its data exported under certain circumstances and is entitled to object or restrict certain use cases of its personal data. There are time limits to be met when managing these requests.
- Regulate the responsibility between Buyer (Controller) and Supplier (Processor). If you are a company which has hired another company to process data on your behalf (such as an IT company providing you with access to their cloud services), you are the “Controller” of the personal data. The hired company will be the “Processor”. For this business relationship, you need a Data Processing Agreement (“DPA”) in addition to the main agreement. A DPA sets out rules for how the Processor may use personal data to fulfil the purpose of the commercial agreement.
- Keep a data inventory. Each Controller and each Processor must keep a record of information on the use of data. The rules for the record of processing are specified in article 30 GDPR.
- Set up processes to manage personal data breach within a 72-hour time frame. If your business is subject to a data breach, you must take steps to minimize the risks. In some cases, you must also contact your supervisory authority and the individuals. A breach could be loss, destruction or unauthorized access to personal data.
- Analyze possible risks and impacts on citizens’ rights for the intended use of personal data. Businesses must make a risk assessment if they will use personal data in a new and innovative way, changing cloud suppliers or creating new services. If your intended use of personal data may be considered as risky, with regards to the sensitivity of the data, the scale of processing, etc., you must review the processing and assess the impacts it may have on data subjects. This process is called a Data Protection Impact Assessment (“DPIA”) and is set out in Article 35 GDPR.
This summary of the GDPR is an introduction to how data protection works in Europe. Read our other articles that present key concepts and phrases.