The General Data Protection Regulation (GDPR) comes into force on the 25th May 2018. Although the key elements of this new framework reflect the Directive it replaces, significant changes will deeply impact the way many organisations gather, process, and store information about individuals. At its core, the driving aim of GDPR is to promulgate individual’s right to control their data. The regulators have taken a solid stance on ensuring data privacy and set eye-watering fines for non-compliance (maximum penalties are the greater of 4% of total global annual turnover or €20m).
The GDPR applies to you
GDPR has global reach. If your business handles personal information about European residents, whether it's their cookies or sexual orientation, then you’re within scope – regardless of your location.
Let's Take A Deeper Dive
GDPR and extra-territorial scope: As stated in article 3, although GDPR applies mainly to businesses established within the EU, it also applies to controllers and processors whose activities within the EU relate to: offering goods or services to individuals (regardless of whether they are free or not) or monitoring individuals’ behaviour (such as using Apps to track an individual’s location).
Specific protections for children: Consent is only acceptable for children for online services where authorized by a parent (art. 8). The default age for these additional provisions is 16, although Member States can reduce this age to 13. It is crucial to remember that consent must be clear, and so the privacy notice must be written in a language accessible to children.
A paradox for privacy notices: The amount of information organisations need to include in their privacy notices has increased. At the same time, the GDPR also requires privacy notices to be concise, transparent, intelligible and easily accessible (art.12). This is likely to require translation into local languages. Just-in-time notices are a suitable approach to meet these requirements (i.e. following certain interactions with the individual).
Increased individual rights: right to portability: As well as the existing right to access their personal data, article 17-18 now extends this right to enable individuals to ask for personal data to be transferred directly from one controller to another (without being subject to a fee), and can also ask to receive personal data in a machine-readable format.
Consent and the right to erasure: Consent now requires a positive opt-in and cannot be secured by inactivity or pre-ticked boxes. For sensitive personal data transferred outside the EU, it must be formally requested by using the term ‘consent’ in the process. Withdrawal of consent can also give the individual the right to erasure – the right to be forgotten (art. 17).
The right to object to direct marketing: Article 21 confers upon individuals the right to object to direct marketing. When this occurs, not only must collectors and processors stop sending material directly, but they must also cease use of that personal data for marketing purposes, such as profiling.
When must Data Breaches be notified? A personal data breach can include loss, unauthorized disclosure, alteration or unauthorized access to personal data (arts. 31, 32). The notification requirements depend on whether the breach is a risk (in which case you must notify the supervisory authority, usually within 72 hours from when you became aware of the breach) or high-risk (the individuals concerned must be notified without undue delay).
Obligation to appoint a Data Protection Officer: All companies that process data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must appoint a data protection officer (arts. 35-37). Verify your recruitment process to verify what information is collected on employees.
What does this mean for you?
GDPR requires organisations to implement the technical measures necessary to ensure compliance. If possible, organisations should adopt a privacy-by-design approach. Article 23, for instance, calls for controllers to hold and process only the data necessary for the completion of their duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.
The challenges for GDPR compliancy will be reviewing the processes relating to data security. Client Relationship Management (CRM) systems that cater to the changing regulatory landscape will be instrumental in facilitating this shift. The world's leading CRM provider, Salesforce, has worked closely with European lawmakers and other key groups throughout the development of the GDPR, and has taken several steps to help ensure that users can continue to use the platform while complying with GDPR. For example, Salesforce offers customers a data processing addendum that contains data transfer frameworks allowing lawful transfer of personal data to Salesforce outside the European Union, through reliance on binding corporate rules, the EU-US Privacy Shield certification, or standard contractual clause. The latter were drafted and approved by the European Commission and contain detailed obligations relating to personal data protection.
Companies must take steps to ensure that both themselves, and their Processors (service providers or consulting firms in charge of processing personal data), understand and comply with the Regulation, to avoid the significant exposure to liabilities.
The first hurdle to overcome is identifying what data you have, where you keep it, and who you share it with. The second step is to identify what data is person identifiable, whether that is user-generated (for example website behaviour) or otherwise (for example through a third party as part of a survey). While the GDPR does not specifically require encryption, it is encouraged as an effective way to help ensure that personal data remains secure and confidential, particularly for sensitive personal data.
By Anastasios Papadopoulos, IMS Founder & CEO