If you’re a business with even a single customer in the European Union, or a not-for-profit with supporters there, it’s vital you know about the GDPR. It doesn’t matter whether your organization is actually located in France or Florida, so long as you’re interacting with someone located in the EU.
If you violate the GDPR, you could be fined up to 4% of your annual global revenue, or up to €20 million, whichever is higher. These laws fundamentally change how all organizations, from small operations to massive enterprises like Google, do business inside and with the EU.
If you’re an EU citizen, these new laws are designed to put you in the driver’s seat. So it’s important that you know what your new rights are, and what entitlements organizations now have to provide you with.
In this article, we cover exactly what the GDPR is, how it will affect your interactions with EU citizens, and how you can go about complying with these new regulations.
GDPR: A Summary
These days, a lot of personal information is shared across the internet. In the act of sending e-mails, paying bills, buying goods, sending details, and even making social media posts, a lot of customer details are being shared.
These details are often stored, especially by companies interested in big data. Often, it’s for giving the customer more targeted and relevant communications, and to provide you with a better customer experience. They even share customer information with other companies to this end, such as Google and Facebook do.
But the reasons for this are not always altruistic, and the laws written to prevent customer data from being abused in the EU were written in 1998 – before the meteoric rise of the Internet and Cloud technology. The data landscape was different back then, and businesses now use it in completely different ways.
The General Data Protection Regulation, or GDPR, is a new European Union privacy regulation designed to address this very problem. It will permanently change the way organizations collect, store, and use customer data.
The goals of the GDPR can be summarized as followed:
- To give people more say in what companies do with their personal data, even if it is exported out of the EU.
- To make data protection rules more or less identical throughout the EU.
- To give businesses a simpler, clearer legal environment, which the EU claims will save businesses a collective €2.3 billion a year.
- To enforce tougher fines for non-compliance and breeches.
Who Has To Comply With The GDPR?
You have to comply with the GDPR if you meet any one of the following criteria:
- You are an organization that offers goods or services to EU citizens or residents.
- You are an organization who monitors the behavior of EU citizens or residents.
This applies to all organizations processing and holding the personal data of citizens or residents, regardless of your company’s location.
The GDPR separates anyone who handles customer data into two types: data controllers and data processors.
- You are a data controller if you are an organization that collects personal data from EU residences.
- You are a data processor if you are an organization that processes data on behalf of the data controller. (E.g. A Cloud Service Provider).
What Counts as Personal Data?
Any information related to a person that can be used to directly or indirectly identify the person. This can be a name, a photo, an e-mail address, bank details, posts on social networking sites, medical information, or an IP address.
The definition of personal data under the GDPR is very broad. If you have customers or supporters in the EU, chances are you have a form of contact, even if it’s just an IP address. Under GDPR, this means you also have a means of identifying them.
What Are The GDPR Implications On My Business?
If you meet the criteria mentioned above for compliance, here’s what you’ve got to provide EU citizens and residents:
The Right to Access
All EU individuals have the right to access their personal data, and to ask how their data is used after it is gathered. As a company, you must provide a copy of all their personal data, free of charge and in an electronic format if requested.
This data must be concise, easily accessible, and easy to understand. It must use clear language and, where appropriate, use visualization. If it regards a child, it must be written in language a child can understand.
Your records of data processing (whenever you’ve used this data) must also be maintained. You’ve got to record the purposes for which you processed this data, and these records must be available to supervisory authorities on request.
The Right To Be Forgotten / The Right to Erasure
If consumers are no longer customers, or they withdraw their consent from your company to use their personal data, they have the right to have this data deleted. This is known as the Right to Be Forgotten – and also applies to people who don’t want to be stigmatized due to an action performed in the past.
The Right to Data Portability
You must provide individuals with the ability to transfer their data from one service provider to another. This must be done in a commonly used and machine readable format. You cannot prevent them from transferring this data.
The Right to Have Information Corrected
You must provide individuals with the ability to update their personal data to make sure it’s not out-of-date, incomplete, or incorrect.
The Right To Be Informed
Consumers have to opt in for their data to be gathered, and consent must be freely given rather than implied. This covers ANY gathering of personal data by companies, and individuals must be informed before this takes place.
The Right to Restrict Processing
Individuals can request that you don’t use their data for processing. Their record can remain in place, but not be used at all.
You will be required to do this if:
- The individual contests the accuracy of the personal data. You must restrict processing of it until it is verified as accurate.
- When they object to it, and you’re considering if your legitimate grounds for processing it override those of the individual.
- When processing is unlawful, but the individual opposes erasure and requests restriction instead.
- If you no longer need the data, but the individual requires the data to establish, exercise, or defend a legal claim.
You must inform individuals when you decide to lift a restriction on processing.
The Right to Object
This includes the right of individuals to stop the processing of their data for direct marketing. There are no exemptions to this rule. Processing much stop the second the request is received. In addition, this right must be made clear to individuals at the very start of any communication.
The Right To Be Notified
If there has been a data breach which compromises an individual’s personal data, they have the right to be informed within 72 hours of you first becoming aware of the breach. It is worth noting that the fines for failing to comply with this right are very severe.
You must also report this data breach to the Supervisory Authority within 72 hours. Data processors also have to inform data controllers without any undue delay when a personal data breach occurs. This means your cloud provider has to inform you immediately if your customer’s data has been compromised.
The Right to Security of Processing
You must provide “confidentiality, integrity, availability, and resilience” for people’s data, and the systems which store this data. You must have a disaster recovery plan, and any data must be encrypted – both on-rest and in transit.
On top of this, you demonstrate “the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident”.
In Practical Application…
The rules for obtaining consent are very strict, and individuals can withdraw this consent at any time. There is also a presumption that separate consents must be obtained for different processing activities.
In short: you must prove that you got consent to use their data for a certain action. If they agreed to receiving a newsletter, you must be able to explicitly prove they actively and conscientiously agreed to this. This can’t be an already ticked box, or an opt-out clause. And if they agreed to receive a newsletter, you can’t use that then to send them letters about upcoming events.
There must be also double opt-in. If someone signs up for marketing communications, you must confirm this opt-in with something like a follow-up e-mail. Any data that proves this consent must be time-stamped to leave an audit trail.
You can no longer use long, illegible terms and conditions full of legalize to ask for consent. It must be in an intelligible and easily accessible form, meaning it must be unambiguous. For sensitive personal data, nothing short of “opt in” will suffice. In some contexts with non-sensitive data, “unambiguous” consent will suffice.
If you purchase marketing lists, you are still responsible for getting the proper consent information, even if you didn’t gather it.
Another example is taking people’s business cards at a B2B trade show. You can no longer go back to your office and sign them up to a company mailing list. This has immense ramifications for businesses of all types, and how they engage in data management in the future.
If you are a business, you must also have a disaster recovery plan, the ability to quickly bounce back from a physical or technical incident, and to encrypt your customer’s data.
What Are The Penalties For Not Complying With GDPR?
Very, very harsh. The following sanctions can be imposed on you if you break the GDPR, regardless of whether you’re located in the EU or not:
- A warning in writing in cases of first AND non-intentional non-compliance
- Regular periodic data protection audits. Keep in mind that if your data is not kept in the proper format, this is also breaking the GDPR.
- A fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 4)
- A fine up to 20,000,000 EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 5 & 6)
When Does It Start?
The GDPR will be enforced from the 25th May 2018. Since it was approved by the EU parliament in 2016, it doesn’t require approval from any national governments in order to be implemented.
If I Trade With The UK, Does The GDPR Affect Me?
Even though the UK has voted to leave the EU (‘Brexit’), GDPR will apply to those trading with UK citizens. The reason for this is that the GDPR will go into effect before the UK government leaves the EU.
Also, the UK government has indicated it will implement an equivalent or alternative legal mechanism to GDPR. Since the UK has provided support for the GDPR in the past, it is widely expected that this will continue in the future in the same or similar form.
How Do I Go About Implimenting GDPR Practices?
The GDPR legislation is designed around the concept of ‘Privacy By Design’. In short, this means your company needs to examine the data you have, and how you handle it.
There are a lot of things you have to do, in order to be compliant with GDPR. These are the first steps you should take:
1. Figure Out If You Need a Data Protection Officer (DPO)
One of the first things you need to ask yourself is if you need a Data Protection Officer, or DPO. Many organizations require a DPO in order to meet this new compliance regulation.
Since this is such a big decision, we cover it in a section further down in this article. For some businesses under the GDPR, it will be mandatory to designate a DPO.
Even if you are not required by law to have a DPO, you may find it useful to designate one anyway.
2. Map Your Company’s Data
This is generally a good thing to do, even without the GDPR. Map where all the personal data in your whole business comes from, and document what you do with that data.
Identify where it resides, who can access it, and if there are any risks to that data.
3. Determine What Data You Must Keep
To avoid problems with the GDPR, it’s best you don’t keep any more personal information than is absolutely necessary about a customer, and remove any data that isn’t used.
This means if you’re a Big Data sort of operation, where you collect a lot of data for no operational benefit, you need to dump it right now. This sort of approach won’t work with GDPR.
When sorting, ask yourself the following questions:
- Why are we archiving this data instead of just erasing it?
- Why are we saving all this data?
- Why are we collecting all these categories of personal information?
- Is the financial gain of deleting this information greater than encrypting it?
4. Put Security Measures In Place
There are security measures you can develop and implement to make sure no data breaches take place. As an organization, this will mean that your burdens from the “Right to be Notified” will be lessened, as well as all the traditional benefits of keeping your customer’s data safe.
Make sure you have a well-written plan that now takes into account the need to inform both individuals and authorities of any personal data breach within 72 hours. Make sure to check with your suppliers also. Outsourcing doesn’t exempt you from being liable. You also need to make sure they have the right security measures in place.
You must also encrypt your customer’s data. Making sure you have backup software that offers high-level encryption of your customer’s data, both on-rest and in-transit.
5. Review your Documentation
Under the GDPR, individuals have to explicitly consent to the acquisition and processing of their data. No more pre-checked boxes or ‘implied consent’. Review all your privacy statements and disclosures, and adjust them as needed.
6. Have a Disaster Recovery Plan
You need to have a disaster recovery plan in place in case your machines go down. This means firstly you need to write an outage plan, and you also need backup software that can get you up and running quickly in case of a server outage.
Here’s a helpful guide on how to writing plans for planned and unplanned outages.
Since this is such a big decision, we cover it in a section further down in this article. For some businesses under the GDPR, it will be mandatory to designate a DPO.
Even if you are not required by law to have a DPO, you may find it useful to designate one anyway.
7. Establish Procedures for Handling Personal Data
Now that individuals have nine basic rights under the GDPR, you’re going to need to establish clear policies and procedures to meet them. E.g.
- How can individuals give consent in a legal manner? How can we make sure there is double opt-in?
- What is the process if an individual wants their data deleted?
- How do we ensure this is done across all platforms, and it is really deleted?
- If an individual wants their data transferred, how do you do it? How do you provide it in an easily readable format?
- How will you confirm the person who requested to have their data transferred is really the person they say they are?
- What is the communication plan in case of a data breach?
No matter the size of your organization, you need to be able to answer all these questions and more.
Do I Need A Data Protection Officer (DPO?)
You are required as an organization to appoint a DPO if you meet one of the following criteria:
- Processing of personal data is being carried out by a public authority or body (Except for courts acting in their judicial capacity).
- Your core business activities consist of data processing operations, which require regular and systematic monitoring of data on a large scale. (Whether you are a data controller or processor)
- Where your core activities consist of processing large-scale amounts of special categories of data OR personal data relating to criminal convictions and offenses.
- Special categories include personal data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data, data concerning health, or data concerning a natural person’s sex life or sexual orientation.
Unless it is obvious that you do not require a DPO, it is recommended that you document the internal analysis carried out to determine whether or not a DPO is to be appointed. This way, you can reliably demonstrate that the relevant factors have been taken into account regarding your organization’s decision to have or not have a DPO.
If you hire someone on a voluntary basis as a DPO, the same requirements will apply to their designation, position, and tasks as if the designation had been mandatory.
If having a DPO for your organization is not mandatory, you can still have staff or external consultants perform the personal data protection tasks traditionally performed by a DPO. However, it is important to ensure there is no confusion regarding their title, status, position, and task. It should be made clear in any communications that this individual or consultant is not a ‘DPO’.
For more details on the function and role of Data Protection Officers, read this guideline document.
More Information About The GDPR
For more information about the GDPR, visit the EU’s GDPR homepage. There’s also a vault of useful resources and videos on the topic.
Disclaimer
Note that the content of this web page is a commentary on the GDPR, as BackupAssist interprets it, as of the date of publication. It is provided for informational purposes only, and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organisation.
BackupAssist encourages you to work with a legally qualified professional to discuss GDPR, how it applies specifically to your organisation, and how best to ensure compliance.