GDPR (General Data Privacy Regulation) is on its way, replacing the EU’s 1995 Data Protection Directive, and it is going to change the world of personal information for good. Exactly what will change and how are enterprises handling our data going to adjust? There are many answers to be sought regarding GDPR, especially for business owners, both across Europe and beyond its borders. In other words, from 25 May 2018 onwards the overall processing of personal data by organizations will have to comply with the new General Data Protection Regulation.
What Is Personal Data?
According to the Business Dictionary, personal information is:
Recorded information about an identifiable individual that may include his or her (1) name, address, email address, phone number, (2) race, nationality, ethnicity, origin, color, religious or political beliefs or associations, (3) age, sex, sexual orientation, marital status, family status, (4) identifying number, code, symbol, (5) finger prints, blood type, inherited characteristics, (6) health care history including information on physical/mental disability, (7) educational, financial, criminal, employment history, (8) others’ opinion about the individual, and (9) personal views except those about other individuals.
What Is the GDPR Policy?
The GDPR regulations are a set of policies that have been in preparation for years in the European Union. In essence they are a complete overhaul of the existing data protection directives and their main goal is to harmonize the laws regarding private data across the member countries. According to the members of Parliament that are behind its creation, the new mechanisms will help strengthen control of the data across the union. The debates and preparations ended when the rules were finally approved on 14 April 2016. The agreed enforcement date is 25 May 2018 when the new rules will become mandatory.
The proposed changes and their subsequent effects will ultimately change how both businesses and government organizations handle the information of individuals. There are many major changes that will affect the current data privacy laws in the member states, while the adoption process occurs. Both politicians and privacy experts note that this is one of the biggest changes, if not the single biggest change, for the past two decades. When the current laws were proposed and accepted, a different type of organization and industry existed. Nowadays as more and more people and client devices are involved in the gathering and procession of personal information arise, so do the possibilities of their abuse.
There is an important distinction between the GDPR regulations and the previous data privacy laws. By nature the GDPR is written as a regulation — a binding legislative act. By law it must be applied entirely across the whole European Union. The previous data privacy acts that it replaces are defined as a directive which are non-mandatory and merely set out goals that the individual countries must achieve.
The idea of data protection is not new. In fact, the Data Act is the world’s first national data protection law, which was enacted in Sweden on 11 May 1973. This data protection law went into effect on 1 July 1974, and required licenses by the Swedish Data Protection Authority for information systems handling personal data.
Another example is the Data Protection Act 1998 accepted in the United Kingdom Act of Parliament, and designed to protect personal data stored on computers and in paper filing systems. The Act followed the EU Data Protection Directive 1995 , which says that individuals have legal rights to control information about themselves.
As for the United States, there is no single, comprehensive federal (national) law regulating the collection and use of personal data, as explained by Thomson Reuters Practical Law.
However, each Congressional term brings proposals to standardise laws at a federal level. Instead, the US has a patchwork system of federal and state laws and regulations that can sometimes overlap, dovetail and contradict one another. In addition, there are many guidelines, developed by governmental agencies and industry groups that do not have the force of law, but are part of self-regulatory guidelines and frameworks that are considered “best practices”. These self-regulatory frameworks have accountability and enforcement components that are increasingly being used as a tool for enforcement by regulators.
How Do Companies Treat Data Under the GDPR?
First of all, any business that is processing and storing data of EU citizens should reassess the need of doing so. When continued, these processes regarding the data of EU citizens should entirely follow the GDPR compliance.
It is worth mentioning that a brand new study carried out by IBM researchers reveals that approximately 60 percent of surveyed organizations are treating the GDPR as a chance to improve privacy, security, and data management. The new regulations are widely accepted as catalyst for new business models, rather than simply a compliance issue or obstruction. To reduce their exposure, most companies are being more selective and more careful in the data they collect and manage, with 70 percent disposing of data ahead of the deadline for compliance.
IBM’s Institute for Business Value (IBV) approached at least 1,500 business leaders responsible for GDPR compliance for organizations on a global scale, researchers reported. The results from IBM’s survey reveal that:
– 84 percent believe that proof of GDPR compliance will be seen as a positive differentiator to the public
– 76 percent said that GDPR will enable more trusted relationships with data subjects that will create new business opportunities
– Despite this opportunity, only 36 percent believe they will be fully compliant with GDPR by the May 25 deadline.
According to Cindy Compert, CTO, Data Security & Privacy at IBM Security, “GDPR will be one of the biggest disruptive forces impacting business models across industries – and its reach extends far beyond the EU borders”.
“The onset of GDPR also comes during a time of huge distrust among consumers toward businesses ability to protect their personal data. These factors together have created a perfect storm for companies to rethink their approach to data responsibility and begin to restore the trust needed in today’s data-driven economy.”
In short, under GDPR, organizations must implement data protection principles, as well as technical and organizational measures, with the sole purpose to protect users’ privacy and users’ rights to privacy. Organizations subjected to the upcoming regulations must invoke comprehensive privacy protections, meanwhile making sure systems and procedures strictly abide the needs of data security.
Data Security under GDPR
Experts have outlined a short checklist that illustrates the steps to be taken towards GDPR compliance:
1.Know your Data
2.Have good Risk Management
3.Implement comprehensive policies and procedures
4.Implement appropriate and effective Controls
5.Have effective Incident Response procedures
In fact these steps have everything to do with the cybersecurity strategy any organization should have in place. Let’s take the risk-based approach to the general state of security of an organization. This approach is crucial to both the GDPR and the cybersecurity strategy.
More specifically, Article 32 of GDPR requires that measures implemented must ensure a level of security appropriate to the risk:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk […].
Right to Erasure, or the Right to be Forgotten
Did you know that the so-called “right to be forgotten” entered the EU privacy domain with the 2014 judgement of the Court of Justice of the EU under the predecessor of the GDPR (Directive 95/46/EC), in case C 131/12, in a case involving Google. The ruling identified the right of EU data subjects to request the removal of links by search engines, or data controllers. The right to be forgotten is now the Right to Erasure and is part of the GDPR This right is a fundamental data subject right in the GDPR, both within in and beyond the context of publicly available personal information.
What the GDPR substantially does is expanding the scope of the right to be forgotten, making it a fundamental data subject right and requiring data controllers to enable EU citizens to exercise the right.
In official terms, the right to erasure enables the data subject to obtain from the controller the erasure of personal data concerning him or her without undue delay, where the controller shall have the obligation to erase personal data without undue delay.
However, it should be noted that, as it happens with most rights, the right to erasure it is not absolute. GDPR Recital 65 among others covers a data subject’s right to have personal data concerning him/her rectified and the right to be forgotten where retention of the personal data would infringe the stipulations of the GDPR or another law to which the controller is subject.
Do Organizations Always Have to Erase Personal Data upon Request of Users?
The GDPR does entitle individuals to ask for their data to be deleted and organizations do have to comply, except in the following cases:
– the personal data the particular company holds is needed to exercise the right of freedom of expression;
– there is a legal obligation to keep that data;
– for reasons of public interest (for example public health, scientific, statistical or historical research purposes).
User Consent under GDPR: Compliance
Making sure the way that data controllers are using data is compliant with the GDPR is a priority number one. It may appear that the regulations are clear-cut, but in truth there are a number of vectors which make compliance complex and even confusing.
For one, GDPR requires the collection and processing of data to be tied to specific uses. However, this is not always possible in the straightforward sense required by the regulations. It is a known fact that data collected for one purpose may be used to serve various needs. This is inevitable in the interconnected world we live in, where companies collect more and more data, and this data is often added to other data sets. The GDPR requires from organizations and data controllers to always be consistent with the specific purpose initially consented to.
As pointed out by Snow Plow Analytics, much of this is subjected to interpretation:
For marketing professionals in particular, consent is likely to be the most important basis for data collection out of the lawful reasons outlined by GDPR, as it is hard to see how using personal data for marketing can be justified under any of the others. As described on the EU GDPR website, lawfully collecting data under the auspices of consent requires that, “the data subject has given consent to the processing of his or her personal data for one or more specific purposes.”
GDPR and Facebook
In April, Reuters reported that Facebook plans to change its terms of service so that its 1.5 billion non-European users would no longer be covered by the privacy law. Until now, all users outside of the US and Canada have been governed by terms of service compliant with the company’s international headquarters in Ireland. Since any user data processed in Ireland is about to fall under GDPR’s protection, Facebook is changing the agreement in a way that users in Africa, Asia, Australia and Latin America are governed by more permissive US privacy laws.
Still, there are vectors where Facebook will need to comply with GDPR. Instead of reducing the volume of data it collects, the social platform is focusing on getting user consent for its data collection practices, biometric data inclusive.
Facebook has developed a sequence of consent requests that explicitly outline how each type of data will be used, Reuters said. It should be noted that the platform has designed these requests in such a manner that makes it harder for users to opt out than opt in.
GDPR: Conclusive Thoughts
In a nutshell, following the EU’s 1995 Data Protection Directive, GDPR represents a more refined approach to data protection matters in the EU legal regime. The upcoming regulation must be recognized by organizations involved in the processing of personal data of EU citizens. In other words, the GDPR applies to all global organizations which operate with personal data of EU citizens.
Make sure to read our ultimate guide to making your website GDPR-compliant.