GDPR

What is the GDPR?

Passed in 2016 and adopted into law on May 25 2018, The General Data Protection Regulation (GDPR) is a comprehensive Data Privacy Law that has some of the most stringent regulatory criteria in the world and has become the framework for subsequent Data Privacy regulations being passed throughout the United States (CCPA/CPRA) and worldwide (Turkey, Chile, Japan, Brazil, South Korea, South Africa and the UK). The GDPR is a crucial part of EU Privacy and Human Rights Law and further addresses the transfer of personal data outside of the EU by establishing “adequacy standards” for transfers of data worldwide. Considered the first “comprehensive” Data Privacy Law in the world it has far reaching implications for companies that do business in the EU or collect and/or store and/or use data of EU Individuals (GDPR refers to as “Data Subjects”).

The GDPR uses several key definitions and terms:

Personal data: Any information concerning or relating to a living person who is either identified or identifiable (such a person is referred to as a “data subject”). Data that is personally identifiable, directly or indirectly, using identifiers (name, id #, geolocation), an online identifier (IP address, mobile advertising ID) as well as specially protected fields related to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.

Processing: This is defined as any operation or set of operations performed on personal data. Processing includes collecting, storing, retrieving, using, combining and erasing/deleting personal data using automated or manual processes and operations.

Data Protection Commission: The Data Protections Commission is the regulatory body that is responsible for enforcing and monitoring the application of the GDPR in order to protect the rights and freedoms of individuals in relation to processing and usage of data.

Data Controller: Refers to a person, company, or other body which decides the purposes and methods of processing personal data

Data Processor: Refers to a person, company, or other body which processes personal data on behalf of a data controller.

Consent: Consent to processing must be freely given, specific, and informed. Article 6 of the GDPR outlines the lawful reasons for processing personal data as: Consent, To carry out a contract, meet a legal obligation, “where processing the personal data is necessary to protect the vital interests of a person”, “where processing the personal data is necessary for the performance of a task carried out in the public interest.” And “In the legitimate interests of a company’ (except where those interests contradict or harm the interests or rights and freedoms of the individual).

Profiling: Automated processing of personal data that involves segmentation, behavioral analysis/predictions, habits or interests.

Special categories of personal data: The classification of specific types of data as “sensitive personal data” are subject to additional protection under the GDPR. Article 9 of the GDPR defines the following as “special categories” of personal data: Personal data revealing racial/ethnic origin, trade union membership, religious/philosophical beliefs, political opinions, biometric/genetic data and processed for the purpose of uniquely identifying a natural person, health information, sex life or sexual orientation.

Processing of these special categories is restricted and prohibited: Article 9 of the GDPR has limited circumstances and exceptions.

Data Protection Officer (DPO): Data controllers and data processors under GDPR must appoint a Data Protection Officer (DPO) under certain conditions. A data controller can also voluntarily decide to appoint a DPO whose responsibility includes implementing a “data protection strategy” and ensuring compliance with applicable data privacy laws like the GDPR and other worldwide privacy standards.

The GDPR applies to any company regardless of the location and the data subjects citizenship or residence that processes the personal information of EU data subjects.
Under the GDPR, individuals have:

1. The right to access: Individuals have the right to request access to their personal data and to ask how their data is used by the company after collection. The company must provide access and if requested a copy of the personal data, free of charge and in electronic format to Data Subjects upon request.
2. The right to be forgotten: Data Subjects have the right to have their personal data deleted if they withdraw consent to use their data or are no longer customers.
3. The right to data portability: Data Subjects have the right to transfer their data from one service provider to another.
4. The right to be informed: Individuals have the right to be informed about any gathering and use of data by companies. Data subjects must be informed at or before the point of collection and individuals have the right to opt in for their data to be collected with consent being freely given and NOT implied.
5. The right to have information corrected: Individuals have the right to request that erroneous or incorrect data be corrected on data that has been collected
6. The right to restrict processing: Individuals can restrict how their data is used and can request that personal data not be used for processing. Records can be stored but use is restricted.
7. The right to object: Individuals have the right to stop all processing of their data for any direct marketing. Without exemptions, processors must cease all activity for data subjects who object to processing and this right to object must be clearly communicated to Data Subjects at the start of collections.
8. The right to be notified: Individuals have the right to be notified within 72 hours in the event of a data breach.

Does the GDPR apply to U.S. companies?

The GDPR applies to U.S. businesses if:

• The organization offers goods or services (even in the absence of commercial transactions) to residents of the EU.
• The organization monitors the behavior of users inside the EU.

If your organization collects or processes the personal data of EU residents, the GDPR will apply. The GDPR has specific requirements for both data controllers and data processors. The risks for U.S. Companies for non-compliance are immense.

• Legal risk: Administrative, private right of action as well as regulatory and compliance
• Reputational risk: With customers, vendors and suppliers
• Operational risk: Security, IT and internal operating systems
• Financial risk: GDPR fines are up to 4% of ANNUAL Worldwide Revenue

The cost of non-compliance

Lower level infringements of the GDPR can still carry fines up to 2% of Annual Worldwide Revenue and can be born from simple compliance violations to Article 83(4) of the GDPR:

• Failing to integrate data protection from onset “by design and default”
• Failing to properly record processing activities and DSAR requests.
• Failure to cooperate with supervising authorities.
• Failing to have adequate security in place for the processing of data.
• Failure in communications with supervisory authorities and data subjects upon confirmation of a personal data breach.
• Failure to conduct and have in place a Data Privacy Impact Assessment (DPIA).
• Failure to notify the appropriate authorities before processing personal data commences.
• Failure of the Data Protection Officer to perform their duties and responsibilities.
• Failing to have the proper certifications filed to ensure GDPR compliance.

Infringements that go against the main principles of the GDPR (Right to access, right to be informed, etc.)…these are considered major infractions and carry the highest levels of fines of 4% of Annual Worldwide Revenue.

Getting started on GDPR compliance

Internal accountability: Assemble the people, processes and technologies required to address privacy and handle customer data within and across the entire organization. Identify an internal stakeholder and assign them as the Data Protection Officer (DPO) whose responsibility will be developing and implementing a “data protection strategy” and ensuring compliance with applicable data privacy laws like the GDPR.

The DPO role is mandatory if any special categories of data are processed or data processing is carried out by a public authority. If the organization does not have offices in the EU, then they must appoint an official representative in the EU.

Privacy by design: The best practice is to develop processes that have been designed with privacy protection in mind from the onset. Privacy by design should be applied by default whenever new products or services are developed for release to a consumer audience.

Data Protection Impact Assessment (DPIA): It is critical to conduct a DPIA which will begin with an inventory of all the various processes that involve collection, storage, use, dissemination and processing of personal data. Under GDPR, data controllers are required to prepare a DPIA for processing operations that are “likely to result in a high risk to the rights and freedoms of natural persons”. Conduct an assessment of how sensitive or confidential the information is, the potential harm or damage individuals could suffer in the event of a data breach. Data flow analysis will determine from point of collection to the final usage, where the data is going (Data in transit) and to whom and where it is going (third parties, processors) and how it is being stored (data at rest). Once you can establish a clear understanding of the various privacy risks, you can begin to develop security initiatives, budget for investments into remediation and compliance, and develop and implement all of the necessary policies, documentation and procedures.

Data governance & internal stakeholder participation: Data governance is getting the right people, technologies and processes together to handle data throughout the entire business in a safe and secure environtment. It is paramount to get stakeholders in agreement on making data privacy and fair information practices a priority within the organization.

Get consent for all collection & processing activities: Giving data subjects control of their data and providing notice and getting consent for all activities related to personal data are key aspects to becoming and staying compliant.

Record keeping & documentation: Data controllers must have proper documentation that they are in compliance with GDPR regulations. They must be able to show a lawful basis for storing and processing data. Having the proper record keeping and information storage systems for requests and compliance certifications is necessary and required.

Data breach policies & procedures: Data controllers must notify the supervisory authority within 72 hours of becoming aware of a data breach. Data processors must immediately notify all data controllers in the event of a data breach with liability now being shared by both the Data controllers and Data Processors in the event of a joint data breach event. If a breach poses a high risk to data subjects, then they must be informed immediately unless pseudonymization or full anonymization, that was “irreversible” were in place.