What is GDPR, and what does it mean for your digital privacy rights?
In an increasingly mobile world, there is an enormous host of data that can be used to improve workflows, ease procedural strain, and allow both corporations and consumers to gain insight into the wants and needs of the other. However, there also comes a critical need for clarity and security, especially where personal data is concerned.
In April of 2016, the EU Parliament voted to approve the General Data Protection Regulation (GDPR), a set of standards seeking to address this situation, that will go into effect in May of 2018. GDPR will replace a twenty year old directive in order to address the vast technological changes since then and will have a huge and immediate global impact. Simply put, GDPR’s goals are to harmonize data privacy laws across Europe, protect and return control of data privacy to consumers in the EU, and reshape the corporate approach to digital privacy. This post seeks to provide an overview of the impacts of GDPR as well as an explanation of its core privacy tenets.
To whom does GDPR apply?
- All EU companies
- Any non-EU companies that process data relating to EU citizens
What is considered “personal data” by GDPR?
- Any information that can be used to directly or indirectly identify the person in question.
- Examples: Names, Photos, Email addresses, Bank details, Posts on social media websites, Medical Information, Computer IP addresses
What kind of penalties can be imposed for violating GDPR regulations?
- Written Warning
- Regular Data Protection Audits
- Fine of €10 million or 2% of total global turnover (total corporate revenue)
- Max Fine of €20 million or 4% of total global turnover (total corporate revenue)
It’s important to note that both Controllers (entities that determine the purposes, conditions and means of the processing of personal data) and Processors (entities that process personal data on behalf of the controller, e.g. cloud platforms) are eligible to be assessed these penalties.
What are the core tenets addressed in GDPR?
- Consent Companies must make it easy and accessible for individuals to both provide and withdraw consent. It must be clear what data is being collected and what purpose it is collected for. In addition, companies must be able to prove that consent was given.
- Right to Access This allows individuals to obtain confirmation from Controllers whether personal data about them is being collected/processed and for what purpose. An electronic copy of the data can be requested free of charge.
- Right to be Forgotten Individuals may request a Controller to remove/erase their personal data and cease dissemination/processing of that data, on the grounds that the data is no longer relevant or that their consent has been withdrawn. Controllers need not necessarily comply; they are required to weigh the individual’s rights against the “public interest in the availability of the data” when deciding how to handle the request.
- Data Portability This allows individuals to request and receive personal data being processed/used in a common and open format, in order to transmit this data to another Controller or system.
- Privacy by Design Companies must include data privacy considerations/policies when designing and implementing their systems, rather than simply tacking on data privacy options later. For example, companies must minimize the data collected to that which is absolutely necessary for its exact processing purpose, as well as limit access to this data only to that which is performing the processing.
- Data Protection Officers (DPO) Companies under GDPR’s jurisdiction (both Controllers and Processors) must appoint a DPO to audit and ensure their company meets the standards of data protection mandated by GDPR.
- Breach Notification If a data breach occurs that is likely to risk the rights and freedoms of individuals associated with that data, Controllers must report the breach to the EU Supervisory Authority (SA) within 72 hours of first becoming aware of the breach. Processors will also be required to notify their Controllers “without undue delay” after first becoming aware of a data breach. In addition, Controllers must notify the individuals involved if they could be adversely impacted by the breach. For example, a breach of encrypted or anonymous data would not warrant a notification of individuals, although the Controller would still need to notify the SA.
How will this impact you or your business?
If you are an EU citizen, it is imperative that you are aware of your rights in regards to providing and keeping track of your own personal data. Knowing how to provide or retract consent, request copies of your data, and determine how a Controller is using your data are all key steps in managing and protecting your digital footprint.
Non-EU citizens will also benefit from considering their digital footprint, and can work to protect themselves and others as we all move towards a more structured global view of data and privacy.
From the corporate viewpoint, if your company depends on large-scale processing of individuals’ digital data, where all/some of those individuals are EU citizens, you will need to take a deep look at how you use, store and manage that data. This can apply to you if your work includes any of the following, in addition to many others: social media analytics, purchasing habits and interests, medical information, even political opinions and surveys.