The General Data Protection Regulation (GDPR) will be implemented by the European Union in all its Member States starting with May 25. It aims to refresh data privacy legislation, replacing the outdated Data Protection Directive of 1995, so that it reflects the high value that internet users’ personal data has in today’s interconnected world.
Data is extremely valuable for companies and organizations, and that is why many online services and platforms we use are free – companies can create much more value by collecting users’ personal data than by taking a fixed fee, because from the data they can learn about their users’ preferences and habits, which they can later use to create more targeted ads or new products and services that will be more successful.
A report by the network security company RSA, which surveyed 7,500 people in France, Germany, the UK and the US, showed that there is real concern among consumers regarding privacy, and they are worried mostly about losing financial data, security and identity information. 51 percent of young millennials (aged 18-24) said they were concerned with their personal information being used for blackmail. As a result of their concerns, 41 percent of participants said that they intentionally falsify personal information when they sign up for products and services online.
An interesting finding of the report was that 62 percent of respondents said that in the case of a data breach, they would blame the company for their data loss, and not the hacker – this shows why companies should be interested in protecting data as much as possible.
The GDPR will protect specific types of data, which represent a substantial expansion of the definition of “personal data” compared to the previous legislation: basic identity information, web data (location, IP address, cookie data, RFID tags), health and genetic data, biometric data, racial/ethnic data, political opinions and sexual orientation.
The EU estimates that EUR 2.3 billion will be saved as a result of having one law, as it is expected to boost consumer confidence and grow business.
Who has to comply with GDPR?
Any company that stores or processes personal information about EU citizens must comply with the GDPR – even if the company is not headquartered in the EU. Therefore, it doesn’t matter if your business is small – as long as it collects personal data from its customers, the GDPR applies.
The regulation identifies two categories of data handlers: controllers and processors. According to the official website, “a controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.”
What happens if a company doesn’t comply?
Failure to follow the GDPR’s requirements includes not just data breaches, but also “administrative failures” like not completing data protection impact assessments.
The size of fines for serious breaches could be up to 4 percent of a company’s global turnover for the preceding financial year or EUR 20 million, whichever is higher.
For less serious matters, fines could go up to 2 percent of turnover or EUR 10 million – whichever is higher.
Before a company is fined, it will go through several other steps: warning, reprimand, and suspension of data processing.
The main principles of GDPR
Data must be processed in a lawful and transparent manner, ensuring fairness towards those whose personal data you’re processing. The European Commission recommends that anonymous data be used, and personal data only be processed “where it isn’t reasonably feasible to carry out the processing in another matter”.
Data minimisation: If you have to collect personal data, it should be adequate, relevant, and limited to what is necessary for the purpose.
Purpose limitation: Companies must have specific purposes for processing the data, and they need to be indicated to individuals when the data is collected.
Storage limitation: You must ensure that personal data is stored for no longer than necessary for the stated purposes.
Integrity and confidentiality: You must install appropriate technical and organisational safeguards that ensure the security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
What do I actually need to do?
You’ll need to check a number of things in order to make sure you’re ready for GDPR. Here’s what the EU recommends:
Communication: Use plain language and tell people who you are when you request the data, why you’re processing it, how long it will be stored and who receives it.
Consent: Get users’ clear consent to process the data. If you’re collecting from anyone under the age of 16, you’ll need parental consent.
Access and portability: Let people access their data and give it to another company.
Warnings: Inform people of data breaches if there is a serious risk to them.
Erase data: Give people the “right to be forgotten” – erase their data if they ask, but only if it doesn’t compromise freedom of expression or the ability to research.
Marketing: Give people the right to opt out of direct marketing that uses their data.
Safeguarding sensitive data: Use extra safeguards for information on health, race, sexual orientation, religion and political beliefs.
Data transfer outside the EU: Make legal arrangements when you transfer data to countries that have not been approved by the EU authorities.
Profiling: If you use profiling to process applications for legally-binding agreements like loans you must: inform your customers; make sure you have a person, not a machine, checking the process if the application ends in a refusal; offer the applicant the right to contest the decision.
Do I need a data protection officer?
Hiring a data protection officer is not necessary in some cases. It depends on the type and amount of data you collect, whether processing is your main business and if you do it on a large scale.
For example, if you process personal data to target advertising through search engines based on people’s behaviour online, you do need a data protection officer.
Even though you may not be formally required to have a data protection officer, you may have to seek the help of a consultant in order to make sure that you’re taking all the right actions to comply with GDPR.
Do I need to keep records?
According to the European Commission, SMEs only have to keep records if data processing is regular, if it’s a threat to people’s rights and freedoms or if they deal with sensitive data or criminal records.
Does my company need to conduct data protection impact assessments?
Impact assessments may be required for high-risk processing, which includes: new technologies; automatic, systematic processing and evaluation of personal information; large-scale monitoring of a publicly accessible area (e.g. CCTV); large-scale processing of sensitive data like biometrics.