The upcoming EU privacy regulation is relevant not only for European organizations but any business looking at Europe because of its extended scope of applicability.
The new European General Data Protection Regulation (GDPR) is expected to lead to a revolution in the privacy world. It will come into force by mid-2018, but time is short and there’s a lot of changes that must be implemented.
What it is
GDPR entered into force on the 5th of May 2016, and European Union member states must transpose it into their national law by 6th of May 2018.
The Regulation updates and modernizes the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights.
It focuses on:
- reinforcing individuals’ rights
- strengthening the EU internal market
- ensuring stronger enforcement of the rules
- streamlining international transfers of personal data
- setting global data protection standards
The changes will give people more control over their personal data and make it easier to access it. They are designed to make sure that people’s personal information is protected – no matter where it is sent, processed or stored – even outside the EU, as may often be the case on the internet.
Most importantly, it aims at changing the way organizations that operate in the EU or that collect personal data from the Union’s citizens, approach data privacy.
The people, business, organization or other bodies that collect and manage personal data are collectively called “data controllers“. They must all respect EU law when handling the data entrusted to them.
What it means for individuals
- People will have to receive the consent form in an easily accessible and intelligible form, containing the purpose of data processing.
- They will have the right to withdraw their consent as easily as they gave it, this being particularly relevant for subjects who have given their consent as a child, or were not fully aware of the risks involved by processing.
The right to be forgotten
- People will also have “The right to be forgotten”, or data erasure, which means that the company processing and holding his data will be obliged to delete it all, including copies.
- This obligation is extended to third parties that have access to that data.
- To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps.
Protect private data
- ‘Data protection by design’ and ‘Data protection by default’ are now essential elements in EU data protection rules.
- Data protection safeguards will be built into products and services from the earliest stage of development, and privacy-friendly default settings will be the norm – for example on social networks or mobile apps.
- Citizens will have the right to be informed about a data breach that affected their personal data in maximum 72 hours from the data holder becoming aware of the breach.
- Individuals will have the right to access information that contains a list specifying which data is being processed and the purpose of the data collection and management.
- People will have the right to data portability, which means transmitting their personal data to another data controller.
What it means for companies
- There will be a single set of rules throughout the European Union, which will cut costs of doing business in the EU. They will only have to report to one supervisory body.
- Companies whose main activity consist of processing data systematically obtained by monitoring data subjects at a large scale or special types of data or data related to criminal activity, will need to have in place a Data Protection Officer (DPO). The DPO will have to respect the internal record keeping requirements.
- GDPR will have to be respected by both companies that originate from Europe, but, also those offering services to EU citizens.
- Online identifiers including IP address, cookies and so forth will now be regarded as personal data if they can be (or are capable of being) without undue effort linked back to the data subject.
- There is no distinction between personal data about individuals in their private, public or work roles – the person is the person.
- Companies will have the legal obligation to inform users in the event of a data breach in maximum 72 hours from the moment they found out.
- Data controllers will have to provide an electronic copy of all personal data free of charge, at request.
- At the request of the users, companies must erase all their personal data, stop collecting it and have third parties delete it as well.
- Also at citizens’ request, data must be transmitted to another entity, at users’ choice.
Security and privacy by design
- Companies will have to design their systems with privacy in mind, rather than adding them. This mean that they must do all efforts to protect the privacy of their users.
- Data controllers will hold and process data only if it is absolutely necessary for the completion of their duties.
- Companies should implement techniques such as anonymisation (removing personally identifiable information where it is not needed), pseudonymization (replacing personally identifiable material with artificial identifiers), and encryption (encoding messages so only those authorized can read it) to protect personal data.
- “Big data” analytics requires anonymised or pseudonymised data.
The maximum fines can go up to 4% of the company’s annual global turnover, or €20 Million, whichever is higher. These are applied in the cases when the data subjects’ rights have been infringed, such as the cases when data has been processed without a legal basis, or cross-border transfers have been performed.
Other infringement could attract fines of up to 2% of the annual worldwide turnover or €10 Million, whichever is greater. This is applied for example when companies cannot prove they have adequate security, haven’t appointed a DPO, or haven’t established a data processor agreement.
How to prepare
- Put in place an accountability framework that will prove you meet the required standards.
- Design your product with security and privacy in mind, not add it later.
- Establish clear policies and procedures in the event of a data breach, so you can notify people in time.
- Verify your privacy policies and notices, so that it is easy to understand and accessible.
- Be prepared for citizens to exercise their newly gained rights, often with unrealistic expectations.
- If you are carrying out cross-border data transfers, including intra-group one, make sure you have a legitimate reason for transferring personal data to jurisdictions that don’t have adequate data protection regulations.