Full Analysis: The General Data Protection Regulation
The General Data Protection Regulation (GDRP), a controversial, new European Union regulation, is poised to severely disrupt most organizations’ approach to data collection and privacy. Learn how your company can be amongst the 40% of organizations that are prepared for the May 25th compliance deadline and what’s been dubbed as the most important change in data regulation in 20 years means for you as a marketer.
What Is It?
The GDPR, which replaces the Data Protection directive 95/46/EC, aims to standardize various protections for consumer and personal data of EU citizens across EU member states. The GDPR defines personal data as “information relating to an identified or identifiable natural person,”which includes basic information like name and email address, but also extends into grayer areas like IP addresses and device ID.
It is important to note that while the GDPR is a European Union-based regulation, any corporate entity that markets or sells goods or services to EU residents is also subject to compliance of this regulation, which means there is good chance that your organization will be affected in some way or another.
Key Requirements of the GDPR
The GDPR itself is comprised of 11 chapters and 91 articles. While the entirety of the regulation has the potential to significantly impact businesses, the following are some of the key requirements companies need to be aware of:
- Increased territorial scope and extra-territorial applicability
- Increased scrutiny of distinction and liabilities between data controllers and data processors
- Increased penalties for violations and non-compliance
- Expansion of data subject rights including the right to access and right to be forgotten
- Providing prompt declaration and notifications in the event of a data breach
- Requiring certain organizations to appoint a Data Protection Officer
Increased Territorial Scope and Extra-Territorial Applicability
One of the most impactful provisions of the GDPR is in regard to the increased territorial jurisdiction that the regulation creates. As previously stated, the GDPR not only applies to EU nations, but to any organization that processes the personal data of EU residents, regardless of their physical location. This includes companies that offer goods and services to EU citizens (regardless of whether a payment or transaction takes place) as well as companies that monitor behavior that takes place within the EU. According to the official GDPR website, “non-EU businesses processing the data of EU citizens will have to appoint a representative in the EU.“
Data Controllers and Processors
Unlike the Data Protection Directive that is currently in place, the GDRP introduces direct obligations for data processors, which is defined as “a natural or legal person, public authority, agency or other body which processes data on behalf of the controller. A controller is the entity who “determines the purposes and means of the processing of personal data.”
For example, if XYZ Manufacturing sells widgets to consumers in the EU and uses WTWH Media to email consumers on their behalf and track their engagement activity, XYZ Manufacturing is the data controller, while WTWH Media is the data processor. In addition to this, if WTWH Media uses 3rd party services like IBM and Amazon, they would also be considered data processors.
In regard to compliance, this distinction between processor and controller is extremely important to make. Since the GDPR views the data controller as the primary party responsible for collection of consent, managing consent-revoking, enabling removal, etc., then a data subject who wishes to revoke consent for his or her personal data must contact the data controller, even if the data is stored on the processor’s servers.
As the GDPR introduces obligations for data processors for the first time, processors will now be subject to penalties and civil claims of data subjects. Article 28(1) states:
“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
With the introduction of the GDPR, data controllers should only work with in-compliance processors or face penalties themselves. Because of this, processors may need to procure independent compliance certifications to maintain obligations with current customers. Processors will be required to:
- Only process personal data on instructions from the controller, and inform the controller if it believes said instruction infringes on the GDPR (28.3)
- Obtain written permission from the controller before engaging a subcontractor (28.2), and assume full liability for failures of subcontractors to meet the GDPR (28.4)
- Upon request, delete or return all personal data to the controller at the end of service contract (28.3.g)
- Enable and contribute to compliance audits conducted by the controller or a representative of the controller (28.3.h)
- Take reasonable steps to secure data, such as encryption and pseudonymization, stability and uptime, backup and disaster recovery, and regular security testing (32.1)
- Notify data controllers without undue delay upon learning of data breaches (33.2)
- Restrict personal data transfer to a third country only if legal safeguards are obtained (46)
These new requirements will no doubt force data processors and controllers to work more closely with each other to ensure both parties are in compliance with the GDPR. Additionally, existing agreements between parties will need to be reviewed thoroughly before the GDPR comes into effect.
Greater Control for Data Subjects
At its core, the GDPR is a consumer-centric piece of legislation, giving more rights to data subjects and how their data is handled by corporate entities. While many of the following concepts may exist currently, the GDPR now attaches legal requirements to them.
Right to be Forgotten
As outlined in Article 17, the right to be forgotten, also known as Data Erasure, allows the data subject to have the data controller erase his/her personal data, and potentially have third parties cease the processing of the data in question. However, certain conditions must be met to qualify for data erasure, one condition being that the data in question is no longer relevant to the original purposes for processing. Another thing to keep in mind is that this provision requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering a right to be forgotten request. Finally, a right to be forgotten request must be met “without undue delay.”
While most modern marketers have already made it easy for data subjects to unsubscribe from email lists or subscriptions, it’s important to note that the GDPR will require organizations to remove data subjects from their database completely at the subject’s requests.
Right to Access
In an effort to empower and protect data subjects, the GDPR designates the right for data subjects to obtain confirmation as to “whether or not personal data concerning them is being processed, where and for what purpose” from the data controller. This new transparency means that your organization must be ready to respond to requests from data subjects quickly and efficiently.
Data Breach Notifications
Data breach notifications are a significant part of the GDPR’s legislation. While your organization may never be the target for a cyber-attack, it is important to be aware of the process should such an event ever occur.
Article 33 designate rules that must be adhered to should a data breach occur:
- The controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55,
- The processor shall notify the controller without undue delay after becoming aware of a personal data breach.
- The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
If your company has suffered a data breach in the past, or if you believe that you are vulnerable to one in the future, it will be important to ensure that your company’s security is up-to-date to prevent such attacks from occurring. If a breach is inevitable, then you will need to make you comply with the GDPR’s guidelines, or risk facing severe penalties.
Increased Fines for Violations
One of the most impactful provisions of the GDPR is regard to the increased penalties for violations. Under Article 79, organizations that violate certain provisions of the GDPR – like rules relating to data breaches – will be subject to fines “of up to €20 Million or 4% of the company’s total worldwide turnover (whichever is greater).” For large, multinational companies, this amount could reach well into the billions.
It should be noted that is a maximum fine for the most serious infringements, like not having explicit customer consent. These penalties operate on tier-based approached, meaning smaller infractions may only result in a fine of 2% of total worldwide turnover. Naturally, these fines can apply to both the data processor and the data controller. If you’re worried that your organization may fall victim to these stiff penalties, then it is extremely important to ensure that both you and other organizations you do business with follow the GDPR.
Appointment of a Data Protection Officer
One of the most controversial provisions of the GDPR requires companies who meet certain condition to appoint a Data Protection Officer (DPO); specifically, companies that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc.
In addition, Article 37 requires companies to designate a DPO in any case where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
If your company meets any of the above criteria for data collection, you will need to appoint a Data Protection Officer (DPO) under the GDPR. Here are some guidelines from EUGDPR.com to consider when appointing a DPO:
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
- May be a staff member or an external service provider
- Contact details must be provided to the relevant DPA
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Must not carry out any other tasks that could results in a conflict of interest
It’s worth nothing that even if your company does not collect sensitive information on customers, you may collect some of this information from your employees for human resources purposes, and therefore may need to appoint a data protection officer if you have employees who are EU citizens.
What Can I Do to Prepare?
Although the deadline for GDPR compliance is just two months away, there are many steps an organization can take to ensure that they will be ready for when the law comes into effect. By reading this post, you’ve already taken the first step, which is educating yourself. By being knowledgeable of the legislation and some its provisions, you can start championing GDPR compliance within your organization so that everyone understands the rules surrounding the regulation.
Another great step to take in preparation for the GDPR is an evaluation of your company’s current privacy policies. Privacy policies are often forgotten in the day-to-day business, but with many of the GDPR’s provisions directly effecting customer data, it might be worth revisiting and potentially updating.
Finally, if your organization is concerned with fines and penalties as a result of data breaches, working with an experience cyber-security firm may be extremely beneficial. They will able to work with you and review your current systems to make sure that you won’t be in violation.
Is your organization ready for the GDPR? Leave a comment below to let us know what steps you’ve taken to ensure your compliance.