“We’ve updated our Privacy policy.” You’ve probably heard this phrase hundreds of times, whether it be from a service you subscribe to or whenever you first visit a website. Nowadays, you may be seeing updates to privacy policies more frequently. This is not a coincidence however, as many online services are updating their privacy policies to comply with the EU General Data Protection Regulation (GDPR).
The GDPR is an EU regulation on data protection and privacy for EU individuals. The GDPR was issued on April 27, 2016 and comes into effect on May 25, 2018 and applies to all EU member states. Although the GDPR is intended to regulate data protection and privacy for EU individuals, the regulation applies to any organization which collects or processes private data of EU residents.
The question then becomes what is personal data? The European Commission has stated that “personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
As you can appreciate, the definition of “personal data” provided by the EU Commission is very broad, and can cover things such as health and biometric data, name, address, email address, identification numbers, geolocation data, IP address, RFID and cookie tags, and the advertising identifier of your phone.
Now that we understand what personal data is subject to the GDPR, the next question is what does the GDPR regulate. In essence, the GDPR requires organizations which collect or process private data of EU residents to adhere to a variety of requirements. General overviews of some of the requirements imposed by the GDPR are discussed below:
- Personal Data may not be processed unless there is at least one lawful basis to do so
Lawful reasons can include: (1) the person has given consent to the processing of personal data; (2) compliance with a legal obligation; (3) to protect the vital interests of the data subject or of another person; and (4) for the performance of a contract to which a person is party or to take steps at the request of the person prior to entering into a contract. Consent appears to be the simplest method of allowing for processing personal data under the GDPR, however, the GDPR elaborates how consent is obtained. A consent request needs to be presented in a clear and concise way, using language that is easy to understand, and must be clearly distinguishable from other pieces of information such as terms and conditions. Informed consent requires that an EU resident must be given information about the processing of their personal data, including at least:
- the identity of the organization processing data;
- the purposes for which the data is being processed;
- the type of data that will be processed;
- the possibility to withdraw consent;
- where applicable, the fact that the data will be used solely for automated-based decision-making, including profiling;
- information about whether the consent is related to an international transfer of your data, the possible risks of data transfers to countries outside the EU if those countries are not the subject of a Commission adequacy decision and there are no adequate safeguards.
- Data Breaches
The GDPR imposes a legal requirement on entities which control private data to notify authorities within each member country if a data breach occurs. Under the GDPR, each member country is required to create a supervisory authority to investigate complaints under the GDPR. The entity which controls private data has up to 72 hours after becoming aware of a breach to advise the applicable supervisory authorities. Furthermore, individuals who are affected by the breach must be individually notified. This individual notification requirement, however, is not necessary if the breached personal data is encrypted in such a way that it cannot be accessed or read. As such, the GDPR incentivizes parties controlling data to encrypt personal data.
- Right of Access
The GDPR gives EU citizens the right to access personal data collected about them and information on how their personal data is being processed. If a request from an individual is received, a copy of the data along with an overview of the data, and how the data was acquired, must be provided by the entity which controls the private data.
- Data Portability
One of the more interesting provisions of the GDPR is that it requires that a person should be able to transfer personal data from one system to another. This provision essential creates a new right for individuals allowing for the transferability of personal data, creating a sense that personal data collected no longer belongs to the entity collecting data, but to each particular individual. To enable the transferability of the personal data, the data must be in a commonly used standard electronic format.
- Penalties
Penalties for failure to comply with the GDPR can be very significant, including a maximum fine of €20 million, or up to 4% of the annual worldwide turnover of the proceeding financial year in the case of an enterprise, per violation. Given the possible penalties, the cost of implementing systems to comply with GDPR may be significantly less than the penalties.
The May 25, 2018 deadline to comply is a hard deadline. As such, if your business is collecting information from EU citizens, or is processing data about EU citizens on behalf of another company, it is more likely than not that you need to comply with the GDPR. If your website or application is collecting personal data, it must make an exception for EU citizens. Given that other countries, such as Argentina and Brazil, are considering adopting comparable privacy regulations, it is imperative that you understand and implement GDPR compliant systems.