Please note: We are not attorneys and the information below does not constitute legal advice. If you are in need of legal assistance, please speak with an attorney. The text below is for informational purposes only.
On May 25th, 2018, The European Union (EU) will undergo the most significant change to data security in the last 20 years. The EU enacted the General Data Protection Regulation (GDPR) as a framework to monitor and govern the collection, processing, storage, and use of personally identifiable information relating to any individual in the EU (including citizens, residents, and visitors) as well as EU citizens living abroad.
The GDPR is a new framework for data protection laws, replacing the dated 1995 data protection directive originally made when the internet was still in its infancy. After four years of negotiation, GDPR was adopted by both the European Parliament and the European Council in April 2016.
Who is Covered Under GDPR?
GDPR Article 3 notes that a company is subject to the new regulations if it processes personal data of an individual residing in the EU when the data is accessed. That means, then, that GDPR can apply even if no financial transaction occurs. If a company is engaged in monitoring the behavior of EU residents (e.g. tracking and collecting information about EU users to predict online activities), the GDPR will likely apply to that company.
What Does This Mean for US Companies?
Perhaps the greatest change to the data protection landscape comes with the extended jurisdiction of GDPR. The new scope applies to all companies that process personal data of individuals living in the European Union, regardless of the location of the company. GDPR provides protection to EU citizens no matter where their data ends up.
This means that all companies across the globe that have a database that includes EU citizens are bound by GDPR. In order to comply, American companies should either (a) block all EU users from accessing the website or (b) have systems in place to ensure compliance.
Citizen Rights Under GDPR
Effective May 24, 2016, and enforced May 25, 2018, this regulation brings about steep changes to international data security. Among the changes is a list of citizen rights under GDPR, which include the following:
- Right to data access – EU Citizens have the right to request and receive comprehensive information on what specific data a company possesses on them, where the data is stored, and how it is utilized. Under GDPR, individuals will have the right to receive a confirmation that the data is being processed, access to their personal data, and other supplementary information. (GDPR Article 15)
- Right to data portability – The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different products, services, or providers. (GDPR Article 20)
- Right to rectification – The right to rectification gives EU citizens the right to change any incorrect information about themselves that is stored and accessed by a data controller. An individual can make a request for rectification either verbally or in writing and requests must be responded to in one calendar month. (GDPR Article 16)
- Right to be forgotten – Under GDPR, EU Citizens can demand a “data erasure” that requires any and all personal data be erased. Individuals can make the request for data erasure either in writing or verbally and requests must be responded to in one calendar month. (GDPR Article 17)
Controllers and Processors
The GDPR applies to “data controllers” and “data processors.” Data controllers determine the means of processing personal data, while data processors are responsible for processing personal data on behalf of a controller. The GDPR places specific legal obligations on data processors including legal liability of personal data breaches. Data controllers also have specific obligations including ensuring contracts with processors comply with GDPR.
What is Personal Data?
Under GDPR Article 4, “personal data” means information relating to an identifiable natural person. A person can be identified from a wide range of information including name, ID number, location data, online identifier or other factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. This includes everything from IP addresses, social media posts, cookie strings, and online contacts to mobile device IDs.
Further, GDPR maintains that companies must have a “valid lawful basis” in order to process personal data. The valid lawful basis is defined below:
- Consent – The data subject has freely given consent for their data to be processed for a specific purpose, outlined in GDPR Article 7.
- Contract – Data processing is necessary to fulfill a contract.
- Legal Obligation – Data processing is necessary to comply with laws.
- Vital Interest – Data processing is necessary to save or protect a person’s life.
- Public Tasks – Data processing is necessary to perform a public interest in official functions.
- Legitimate Interests – Data processing is necessary to the legitimate interests of an organization or third party affiliate.
How to Process Personal Data Under GDPR
Companies need to ensure that data processing activities are carried out in line with the “Data Protection Principles” set out in the GDPR. GDPR Article 5 maintains that personal data shall have the following principles relating to processing:
- Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. This change places additional compliance requirements on organizations to take additional care when designing and implementing data processing activities.
- Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.
- Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which those data are processed. Companies will need to carefully review their data processing operations to consider whether they process any personal data that are not strictly necessary in relation to the relevant purposes.
- Personal data must be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate are either erased or rectified without delay.
- Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific, historical, or statistical purposes in accordance with Art.89(1) and subject to the implementation of appropriate safeguards.
- Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
- The data controllers are responsible for and must be able to demonstrate compliance with the Data Protection Principles.
The changes introduced by the GDPR to the Data Protection Principles are not radical, however, they do consolidate the importance of those principals with respect to data processing activities. In particular, the principles of transparency, minimization of data, data integrity, and confidentiality, are now clearly defined as Data Protection Principles under GDPR.
Consequences of Non-Compliance
The GDPR imposes significant fines for companies that fail to comply. Penalties and fines, calculated based on the company’s global annual turnover of preceding financial year and, defined in GDPR Article 83, can reach up to 4% or €20 million (whichever is greater) for non-compliance with the GDPR, and 2% or €10 million (whichever is greater) for less important infringements.
It remains to be seen how the regulating authorities will enforce GDPR fines. For now, most U.S. companies that aren’t conducting business in Europe can easily take the steps needed to ensure GDPR compliance. Here at Slamdot, we ensure that the marketing services that we use for our marketing clients are GDPR compliant.