The European Union’s General Data Protection Regulation (GDPR) was approved on April 14, 2016 with a two year preparation period in place to allow businesses and technology to get ready. This incoming regulation represents probably the most substantive and wide-reaching data privacy regulation in the world, and will have an immediate and significant impact on the operations and systems of every organization that intends to interact with EU residents when it comes into force. This will include any organizations based outside of the European Union, but which will be involved in the processing and storage of any and all data related to EU residents. In short, if the personal data of an EU resident is present in any part of a system or network, the organization responsible is going to have to be in compliance with the GDPR, and there is a lot to consider.
Enforcement of the GDPR will commence on May 25, 2018. EU regulations are deemed a binding legislative act with application and force across the entire European Union. This is not a policy or goal for each member country to interpret and develop on their own, it will be an active law in effect in every jurisdiction of the EU. This is significant as digital systems will need to be in compliance with every regulation of the GDPR, and system administrators will not be able carve out exceptions for any single region of the EU.
There will also be significant penalties in place for organizations that do not comply with the requirements. Breaches of the GDPR may result in fines up to a maximum of 4% of annual global turnover or 20 million euros, though there will be a tiered system in place for the significance and number of incidences related to any breaches. However, even the lowest tiers of penalty represent a significant financial penalty, as the EU has provided an extensive 2 year period to prepare for this change, and it has made its intention clear that the GDPR will be a serious framework to protect consumers.
From an organizational standpoint the transition period may be a challenge as initial compliance is established, however, there is some benefit in this as organizations will also only be required to observe one universal standard within the EU going forward. Research around the topic of consumer data privacy also suggests that there will be benefits in the form of greater consumer trust. Surveys show that digital consumers generally blame the systems over the hackers when breaches occur, and that concern over privacy breaches leads a significant number of users to simply provide false answers for digital requests. Greater protections, and transparency around those protections, are likely to increase trust and engagement with digital users which could result in more accurate digital data responses, and even more digital business for organizations.
From a consumer standpoint the new requirements set out under the GDPR are quite promising. Most of the provisions were designed with careful consideration for principles of data portability, transparency, one-stop-shop simplicity, and privacy by design.
This is an all-or-nothing framework for organizations that want to reach EU residents, which consist of approximately 500 million individuals. Quite simply, this is not a demographic that can simply be ignored.
Types of Data
The EU’s regulations already differentiate types of data. Standard personal data is defined as “any information relating to an identified or identifiable natural person” including direct and indirect identification, such as by name or by organization and affiliation, under the Data Protection Directive. This a broad definition meant to capture the majority of personal data that individuals will provide in most cases. However, there is another category of sensitive personal data, which include information related to sensitive information such as an individual’s race, religion, political affiliations, union membership, health, and relationships. This category of data is already afforded special recognition and additional protections in recognition of its value and possible impact on individuals, and will continue to be an important consideration under the full GDPR provisions.
The GDPR will expand upon the above categories by introducing new categories that reflect innovations in data usage. The regulations will introduce a definition for genetic and biometric data, and include this data in the sensitive personal data category so that it is subject to higher standards for consent and protection. This will include a requirement for an impact assessment to identify risks and data processing methods for organizations that engage in large scale processing of this type of data.
The GDPR will also recognize pseudonymous data, which is personal data that is encrypted to prevent the identification of an individual party. This data will fall into the general personal data category, but will benefit from several exceptions to the new and more involved GDPR requirements. For example, because of its inability to identify individuals, organizations may be exempt from reporting some data breaches related to pseudonymous data, and this data may be generally more portable for other uses internal to the organizations. The GDPR will effectively create several incentives for organizations to use pseudonymous data over standard personal data, in the hopes that more groups will prefer this data format for its ease-of-use, and simultaneously provide the benefit of greater protection and peace of mind for their users.
Consent to Data Collection
Under the GDPR organizations will have to present clear and comprehensible terms to all parties when asking to collect their data, and these parties must in turn provide clear consent to the data collection. Organizations are expected to use clear and plain language and have been explicitly warned to avoid using complex language or legalese in their request. The regulations further set out that non-sensitive general data may be consented to with a clear disclosure and an unambiguous consent process. However, sensitive data of a person nature will incur a higher standard of disclosure and parties will be required to provide a clear and fully informed consent by opt-in process.
There is a substantial and important difference between these two standards. For non-sensitive data collection parties will have to be informed of the collection, but may consent and proceed with the process through a simple indicator such as continued use of a digital platform after the clear disclosure. With sensitive data the parties will have to actively provide proof of their understanding and consent, which may require a more-involved consent button, drop-down menu, checkbox, or more.
Finally, it is important to note that the GDPR will also establish a minimum age to be able to provide the consent to collect data discussed above. Interestingly the GDPR permits member countries to select the minimum age that will apply to its populace, so long as it falls between 13 and 16 years of age. However, countries that do not legislate a specific age will default to 16 years old under the incoming regulation. This is an odd point of inconsistency on the part of the GDPR, and will require that organization’s system are able to recognize different EU member nations and apply the correct requirements, or else adopt the minimum age requirement of 16 in order to be safe.
Data Maintenance and the Right to be Forgotten
In addition to requiring that organizations obtain clear consent from consumers when collecting data, the GDPR also requires that organizations only store and process that data for “no longer than is necessary for the purposes for which the personal data are processed.” This means that data may not be retained by organizations indefinitely, though the definition of “no longer than necessary” will inevitably vary depending on industry, purpose, and the disclosure provided to consumers.
Organizations are also required to erase all of the personal data of a consumer upon their request, which effectively means that the Right to be Forgotten will now be a legal requirement. This will not override any laws or regulations that require the maintenance of particular data, like for example laws requiring the maintenance of health records. However, outside of these select areas of conflict all systems will have to provide a mechanism for consumers to request their data be removed, and in observing the principles of the GDPR these mechanisms will have to be completely effective and easy to access.
The GDPR and its data management requirements will also theoretically require organizations to make personal data portable where possible. More specifically, consumers will “have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance.” The problem with this, of course, is that systems that collect personal data are unlikely to be compatible or work with the same frameworks or formats, which will hinder the actual usability of any data that a consumer requests. Furthermore, providing an easily accessible method to request all of one’s personal data will inevitably pose new security risks, as malicious parties will certainly try to take advantage of a built-in process that collects and withdraws all of a person’s data for them. Data portability is a significant issue for the design process and should be very carefully considered.
Digital Protection Officers and Reporting Data Breaches
The GDPR will require organizations that process or store large amounts of personal data, whether for external consumers or internal employees, to appoint a Data Protection Officer (DPO). A DPO will generally be responsible for educating and training the organization and its staff on GDPR compliance requirements, conducting security audits, monitoring performance, and maintaining records of all personal data processes and activities. Some organizations will be required to perform periodic impact assessments in order to identify vulnerabilities, mitigate risks, and test their policies for spotting and protecting data from breaches, and responsibility for these assessments will likely fall to the DPO. Finally, they will also be required to interact with consumers in order to inform them about how their personal data is used and their rights with regards to how the data is used as necessary. The qualifications and duties of the role are not explicitly set out under the incoming regulations, though the intent appears to be creating a position in organizations that is informed and accountable for compliance with the GDPR framework. As such the DPO should generally have a degree of authority and autonomy in the organization and should be able to operate without any conflicting interests which will require some degree of separation from data processing and storage teams. (In short, the DPO should not also be a key member of data team such that their two roles conflict).
In addition to the general security and oversight provided by a DPO, the GDPR establishes a new requirement that any company that experiences a data breach which may pose a risk to individuals’ data must notify the Data Protection Authorities (DPA) within 72 hours, and further notify the effected individuals without undue delay. Unfortunately, this requirement creates some ambiguity in its reference to risk, and the fact that organizations do not have to report where “the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Without a clear definition in place for what constitutes a risk, the requirement is open to interpretation. This uncertainty is only enhanced by the GDPR’s acknowledgement of pseudonymous data, and other categories of data which inherently carry different risks and ability to identify individual persons. As a result, organizations will have to evaluate a subjective understanding of risk based on the type of data, the circumstances of the breach, and other factors. Thankfully, a 30-page guideline for assessing breaches has been released by the regulators to help organizations get oriented.
Getting Ready for the GDPR
The GDPR requirements must be met by May 25, 2018, and this requirement applies to organizations and their digital partners. Data controllers and data processors alike must be in full compliance, and a data controller working with a processor that is out of compliance will also be in breach. This high expectation is intended to get organizations to hold each other accountable, and to be responsible for every part of their digital system, even those outsourced to third parties.
Given the potential liability connected to third party compliance, most organizations will need to update their contracts and agreements to reflect the new requirements and firmly establish their obligations. Cloud networks, SaaS providers, even simple digital retail sites will have to account for data management throughout. This will involve a lot of regulatory interpretation and negotiation as parties try to identify their obligations, and work to mitigate and allocate liability effectively. All of these parties will also have to update their contracts and information pages for consumers, though these updates will be geared towards greater transparency and informing consumers about the organization’s responsibilities and policies under the new regulations. In short, even after 2 years of advance notice there are a lot of changes to make as the clock continues to tick towards May 25th, 2018 and organizations should be spending their time preparing. Certainly, they will not want to have to choose between a marketplace of 500 million potential customers, or incurring the full powers and sanctions of the European Union.
The material and information in this article are for general information only. They should not be relied on as legal advice or opinion. The authors make no claims, promises, or guarantees about the accuracy, completeness, or adequacy of any information referred to in this article or its links, or the application of the information to your situation. No person should act or refrain from acting in reliance on any information found in this article. Readers should obtain appropriate professional advice from a lawyer duly licensed in the relevant jurisdiction. These materials do not create a lawyer-client relationship between you and any of the authors or Momentum Business Law.