What You Need to Know About GDPR

What does GDPR stand for?

GDPR stands for General Data Protection Regulation. It is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union.

What exactly is GDPR?

GDPR is a set of rules designed to give citizens of the European Union more control over their personal data. Companies that collect data on citizens residing in European Union countries need to comply with these strict new rules around protecting customer data. It aims to simplify the regulatory environment for businesses so both businesses and citizens of the European Union can fully benefit from the digital economy. GDPR requirements apply to each of the 27 members of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations.

The GDPR establishes boundaries and protocols for companies that handle EU citizens’ data to better safeguard the processing and movement of citizens’ personal data. Compliance will create some new concerns and expectations for security teams. The GDPR looks at the larger picture of what constitutes personal identification information. Companies will need a similar level of protection for things like an individual’s IP address or cookie data as they do for name, address, and Social Security number.

How did GDPR come into force?

In April 2016, the European Parliament established the GDPR, replacing the Data Protection Directive 95/46/ec of 1995. A directive allows each of the 28 members of the EU to adopt and customize the law to the needs of its citizens. Au contraire, a regulation requires its full adoption with no leeway by all 28 countries. The GDPR demands all 28 countries of the EU to comply.

The Directive’s drawback is that it is no longer relevant to today’s digital age. Its provisions fail to address how data is stored, collected, and transferred in a modern digital age. These regulations haven’t been able to catch up with the pace of the technological advancement. GDPR is necessary as it improves the protection of European data subjects’ rights and clarifies what businesses that process personal data must do in order to safeguard these rights.

When did GDPR come into force?

In January 2012, the European Commission set out plans for data protection reform in order to make Europe fit for the digital age. Following four years of preparation and debate, GDPR was approved by the European Parliament in April 2016 and the official regulations of the directive were published in all of the official languages of the European Union in May 2016. The legislation came into force on 25 May 2018.

Who does GDPR apply to?

According to the European Commission, the GDPR applies to a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or a company established outside the EU and is offering goods/services or is monitoring the behavior of individuals in the EU.

GDPR basically applies to organisations operating within the EU as well as outside of the EU which offer goods or services to customers or businesses in the EU. Crucks of the matter is that almost every major corporation in the world needs a GDPR compliance strategy. The GDPR applies to ‘controllers’ and ‘processors’. The controller sees how and why personal data is processed and the processor acts on the controller’s behalf.

When it comes to protecting the privacy and rights of the data’s subject, such as a website consumer, the data controller bears the most responsibility under GDPR and other privacy laws. Simply put, the data controller is in charge of the processes and goals for which data is used. 

Controllers and Processors

The GDPR places specific legal obligations on the processors. They are required to maintain records of personal data and processing activities. They also will have significantly more legal liability if they are responsible for a breach. These obligations for processors are a new requirement under the GDPR.

Controllers are not relieved of their obligations where a processor is involved – the GDPR places further obligations on them to ensure their contracts with processors comply with the GDPR. The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

When it comes to protecting the privacy and rights of the data’s subject, such as a website consumer, the data controller bears the most responsibility under GDPR and other privacy laws. Simply put, the data controller is in charge of the processes and goals for which data is used. A data controller can use its own processes to process collected data. However, in some situations, a data controller will need to partner with a third-party or an external service in order to work with the information collected. Also, the data controller will refuse to hand over custody of the data to the third-party service. Through determining how the data will be used and handled by the external service, the data controller will maintain control.

A data processor simply processes the information provided by the data controller. The data processor, in the example above, is the third-party company that the data controller selected to use and process the data. The data that is processed by a third-party data processor does not belong to them, and they have no power over it. This means that the data processor would not be able to adjust the data’s function or means of use. Furthermore, data processors are constrained by the data controller’s instructions. Sterling Company, for example, has a website that gathers information about the sites that people view. This includes the page they arrived on, the pages they visited next, and the amount of time they spent on each page. Sterling Company is the data controller, as they dictate how and when all of this information will be used and stored.

The Sterling Company uses Google Analytics to determine which of their pages are the most famous and which are causing visitors to leave the web. This allows them to better organise their content by understanding how much time each visitor spends on each page. Sterling Company not only knows what subjects to write about, but they also find new ones that may be of interest to their clients. Plus, it helps them improve on the content that is already there. Sterling Company needs to share the data that they get to Google in order to get the insights they want from Google Analytics. In this case, Google Analytics is the data processor.

Principles

Article 5 of the UK GDPR sets out seven key principles which lie at the heart of the general data protection regime. They been designed to guide how people’s data can be handled. They don’t act as hard rules, but instead as an overarching framework that is designed to layout the broad purposes of GDPR. The principles are largely the same as those that existed under previous data protection laws. The seven key principles are:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality (security)
• Accountability

The principles are set out right at the start of the legislation, and inform everything that follows. They don’t give hard and fast rules, but rather embody the spirit of the general data protection regime, and as such there are very limited exceptions. Compliance with the spirit of these key principles is a necessity for good data protection practice. It is also key to compliance with the detailed provisions of the GDPR.

Exceptions

There are two exceptions to this. First, the GDPR does not apply to “purely personal or household activity.” So, if you’ve collected email addresses to throw your boss a surprise party, you will not have to encipher their contact info to comply with the GDPR. The GDPR only applies to organizations involved in “professional or commercial activity.” So, if you’re collecting email addresses from friends to fundraise a side business project, then the GDPR may apply to you.

The second exception is for organizations having less than 250 employees. Small and medium-sized enterprises (SMEs) are not totally exempted from the GDPR, but the regulation does relieve them from record-keeping obligations to a certain limit.

Similar to the Data Protection Directive, the GDPR contains derogations and special requirements. Any exceptions may be made by Member States, such as for the prevention and identification of crime or for national security purposes. Despite the fact that the GDPR harmonises data protection legislation across the EU, Member States will be able to implement supplementary laws for particular purposes.

There are two types of derogations and exemptions: limits and special processing situations. Article 23 of the GDPR requires Member States to make derogations in areas such as national security, public security, judicial independence and prosecutions, and civil law enforcement. Derogations must be appropriate and proportionate and must respect the right to data security.

United Kingdom implementation

The applicability of GDPR in the United Kingdom was affected by the Brexit and it remained subject to EU law, including GDPR, until the end of the transition period on 31 December 2020. The United Kingdom granted royal assent to the Data Protection Act 2018 on 23 May 2018, which augmented the GDPR, including aspects of the regulation that are to be determined by national law, and criminal offences for knowingly or recklessly obtaining, redistributing, or retaining personal data without the consent of the data controller.

The GDPR came into effect in May 2018 during which the UK was still a member state. After the Brexit, the UK is no longer regulated by the European GDPR but instead, the UK now has its own version known as the UK-GDPR (United Kingdom General Data Protection Regulation). The new UK-GDPR came into force on January 31, 2020.

The UK-GDPR mandates your website to obtain explicit consent from users before processing their personal data via cookies and third-party trackers. It also requires you to safely store and document each valid consent and your website to enable users to change their consent just as easily as they gave it. It gives a set of rights to UK users, while the one which takes precedence is the right to delete and the right to have corrected already collected personal data.

What are GDPR rights?

There are 8 rights laid out by GDPR ranging from allowing people to have easier access to the data companies hold about them to also be deleted in some scenarios. These rights are:

• the right to be informed: Individuals have the right to be informed about the reason of collection and use of their personal data. Individuals must be provided with information including purposes for processing their personal data, retention periods for that personal data, and who it will be shared with.
• the right of access: Individuals have the right to access their personal data and receive a copy of it and other supplementary information. This is referred to as a subject access request.
• the right to rectification: The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete. A request for rectification can be made by an individual verbally or in writing. A time period of one calendar month is provided to respond to a request.
• the right to erasure: The GDPR introduces a right for individuals to have personal data erased or deleted. A request for erasure can be made by an individual verbally or in writing. A time period of one calendar month is provided to respond to a request.
• the right to restrict processing: Individuals have the right to request the restriction or suppression of their personal data. When processing is restricted, personal data can be stored but not used. A request for restriction can be made by an individual verbally or in writing. A time period of one calendar month is provided to respond to a request.
• the right to data portability: The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
• the right to object: The GDPR gives individuals the right to object to the processing of their personal data in certain circumstances. Individuals have an absolute right to stop their data being used for direct marketing. An objection can be made by an individual verbally or in writing. A time period of one calendar month is provided to respond to an objection.
• rights around automated decision making and profiling: The GDPR applies to all automated individual decision-making and profiling. Article 22 of the GDPR states that the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.

Requirements of GDPR

The GDPR itself contains 11 chapters and 91 articles.

• Articles 17 and 18:  Articles 17 and 18 of the GDPR give data subjects more control over personal data that is processed automatically. They give data subjects the right to portability and the right to erasure.
• Articles 23 and 30: Articles 23 and 30 require companies to implement reasonable data protection measures to protect consumers’ personal data and privacy against loss or exposure.
• Article 31: In GDPR text a large role is played by Data breaching notifications. Requirements for single data breaches as per Article 31 specifies: controllers are advised to notify Supervising Authorities (SA)s of a data breach (personal) within 72 hours of learning of the breach and should provide precise details of the breach like the nature of it and the rough number of data subjects which are affected. According to Article 32, it requires data controllers to apprise data subjects as fast as possible of breaches when the breaches place their rights and freedoms at high risk.
• Articles 33 and 33a: Articles 33 and 33a require companies to perform Data Protection Impact Assessments to identify risks to consumer data and Data Protection Compliance Reviews to ensure those risks are looked into.
• Article 35: Article 35 requires appointment of certain data protection officers. Specifically, any company that processes data revealing a subject’s genetic data, health, racial or ethnic origin, religious beliefs, etc. must designate a data protection officer who serve to advise companies about compliance with the regulation and act as a point of contact with supervising authorities. Some companies may be subjected to this aspect of the GDPR simply because they collect personal information about their employees as part of HR processes.
• Articles 36 and 37: Articles 36 and 37 outline the data protection officer position and its responsibilities in ensuring GDPR compliance as well as reporting to SAs and data subjects.
• Article 79: Article 79 outlines the penalties for GDPR non-compliance, which can be up to 4% of the violating company’s global annual revenue depending on the nature of the violation.

Criteria that need to be met

The GDPR requirements consist of a total of 99 articles. Any company that stores or processes personal information about EU citizens within the European Union states must comply with the GDPR, even if they do not have a business presence within the EU. Companies are subjected to the GDPR if:

• The business has a presence in an EU country
• Even if there is no presence in the EU, the company still processes personal data of European residents
• There are more than 250 employees
• Even if there is fewer than 250 employees, if the data-processing impacts the rights and freedoms of its data subjects.

How does the GDPR affect companies’ existing policies on data breaches?

Under the GDPR, affected companies and organizations are given 72 hours to notify their customers, the GDPR supervisory authorities, and at-risk individuals of a data breach. A penalty may be incurred if they fail to do so and it risks violating the GDPR.

Many businesses currently have different policies in terms of when they disclose the event of a data breach to the public or to the authorities, and it depends on the laws decreed by their state or country. For instance, Florida law dictates that disclosure of a data breach must be made to the individuals affected by it no later than 30 days. Puerto Rico, on the other hand, mandates that a company, upon learning about their own data breach, must notify the Department of Consumer Affairs within 10 days.

British Airways and Marriott International are facing fines that amount to hundreds of millions of euros for failing to comply with the GDPR. British Airways are facing fines of up to €200 million for a data breach that occurred in September 2018 and Marriott International are expected to be fined in the region of €99 million for a data breach between 2014 and 2018

How does the GDPR affect US?

GDPR requirements will force US businesses to change the way they process, store, and protect customers’ personal data. Companies must provide a certain level of data protection and privacy to its customers, ensuring its storage only upon the individual consent by those customers and no longer than absolutely necessary for which the data is processed. Upon request, companies must even delete personal data. The right to be forgotten is a powerful right and a right we as citizens are all entitled to.

The GDPR has extra-territorial scope meaning that websites outside of the European Union that process data of people inside the EU are obligated to comply with the GDPR. So, if you have a website in the US and you have visitors from the EU, the GDPR applies to your domain as well. Therefore, if that is the case, you need to meet the GDPR requirements and conditions for processing data.