THE GDPR IS COMING: AWARENESS AND PREPARATION FOR COMPLIANCE
By: Amy Apostol
May is here, and that means that GDPR enforcement begins this month. The General Data Protection Regulation, or GDPR, was adopted by the European Union Council and the European Parliament in 2016 and will be effective and enforceable as of May 25, 2018. If you haven’t given the GDPR much thought, now is the time to evaluate and prepare.
OVERVIEW OF THE GDPR
The GDPR takes a new look at privacy in light of the ever-changing technological and commercial world in which we live. Starting with the idea that privacy is a right, it shifts the focus and control over personal data to the individual, rather than the organization that holds and uses that information. Under the GDPR, individuals have more control over the use, storage, retention, portability, and erasure of their personal data. Individuals have the right to request and obtain access to their personal data and related information in order to understand how their data is being used and whether it is being controlled or processed for a lawful purpose. While the fines for non-compliance can be hefty and the steps to meet the GDPR requirements are onerous, a primary goal of the Regulation is to enhance trust and transparency between individuals and corporations. It aims to help organizations take a comprehensive look at the data they hold and how they use and protect it.
Extraterritorial Reach of the Regulation
The GDPR applies broadly to all companies that control or process the personal data of EU citizens, even if those companies are located outside of the EU. Data controllers typically collect personal data directly from individuals and determine the use of the information, including the purposes for which it is used and processed. Data processors process personal data on behalf of the data controller. Although a data controller can also process personal data, a data processer is often a separate entity under contract with a data controller.
Under the GDPR, the term “personal data” encompasses more information than we would commonly think about under U.S. rules regarding privacy. Not only are common information types such as name, email address, place of birth and date of birth covered, but personal data also includes IP addresses, location data, behavioral data derived from IoT devices, internet tracking cookies, and voice or facial recognition. Account numbers and other unique numbers associated with an individual may also be considered personal data. The GDPR recognizes that certain information like health-related data, information about ethnicity or religious and political views, or social and cultural identifiers is especially sensitive and requires additional protections. The GDPR also covers pseudonymized, but not anonymized, data.
Lawful Basis for Collection and Processing
You must have at least one lawful basis for collecting or processing personal data. A commonly used basis is to obtain freely given and unambiguous consent by an individual who is providing personal data for a particular use. Personal data can also be collected or processed if it is required to meet the terms of a contract or when there is a legal obligation to do so. Collection or processing is also permitted when there is a vital (life or death) interest, when it is in the public interest, and when there is a legitimate interest in collection or processing that overrides other interests, such as privacy considerations.
Privacy by Design
The GDPR requires that companies think about data privacy from the very beginning and as a key concept of the design, development, and implementation of products, services, and processes. This is called “privacy by design.” Companies also have an ongoing duty to protect personal data and are expected to make prompt notification of data breaches to individuals and appropriate authorities.
ENFORCEMENT AND PENALTIES
Enforcement starts on May 25th and can carry maximum fines of up to the greater of 4% of a company’s annual global turnover or 20 million Euros for infringement of an individual’s privacy rights. Enforcement action can be triggered by things like a data breach, a complaint submitted by an individual, or a company’s failure or inability to act on an individual’s request (such as a request to withdraw consent or to exercise a privacy right).
Penalties imposed can vary and will be proportionately based on the underlying facts, such as the scope or severity of a data breach, the failure to properly report a data breach, the level of attention given to an individual’s rights, the level of non-compliance with the GDRP, and what has happened to the personal data as a result of these factors.
COMPLIANCE PLANNING AND ACTION
Developing a Compliance Plan
While there is no “one size fits all” approach to GDPR compliance, a good plan will include identification of GDPR risks (with emphasis on the privacy risk to the individual over the business-related risk), application of appropriate data protections, and corporate awareness of the location, type, and use of data. Compliance efforts will likely begin with employee training and education about GDPR requirements and the importance of privacy.
Documentation of your compliance activities, including your action plan and training programs, will be critical to your ability to respond to an enforcement action. You may want to take a phased approach to compliance so that it is more manageable and realistic. You can build this documentation and demonstrate your efforts along the way, adjusting for changes in the digital landscape and your operational activities. For instance, you will want to be able to show proof of consent by individuals whose personal data you are using, information about where personal data resides in your organization or IT systems, security measures, policies related to data access and IT security controls, and implementation of technologies that enhance privacy protections.
In conclusion, while May 25th is an important date, GDPR compliance is a process, not a finish line. The GDPR can be a helpful tool in the development of data security and privacy best practices to help enhance trust and transparency with customers and the general public.
Amy is a member of The A.L.T. Group and an attorney focusing on privacy, data security, insider threat, and cybersecurity issues. To engage Amy, please contact us at www.adeptlegaltalent.com/engage