The European Parliament, Council of the European Union, and the European Commission have implemented a sweeping new privacy law. It’s called the General Data Protection Regulation (GDPR), and affects every organization in the world offering goods or services to, or monitoring the behaviour of, customers who are European Union (EU) citizens or residents. It applies to all companies processing and holding the personal data of EU citizens and residents, regardless of the company’s location.
The law is intended to give control back to citizens and residents over their personal data. GDPR passed in April 2016, and will begin to be enforced May 25th, 2018. Marketers who profile or target anyone residing in the EU, regardless of the size of their company, will be significantly affected by the new law.
Why did GDPR Become Law?
GDPR replaces the EU’s Data Protection Directive 95/46/EC of 1995. It is designed to harmonize data privacy laws across Europe, protect and empower EU citizens’ data privacy, to make it cheaper and easier for organizations to do business across the Union, and to reshape the way organizations across the region approach data privacy. It covers the following areas: consent, further processing not based on consent, the right to object and profiling, the right to erasure (“right to be forgotten”), data protection officers, data breach notifications, administrative fines, and a “one stop shop.”
Defining “Personal Data”
The definition of personal data has been significantly expanded from the 1995 directive. It now includes basically any information relating to any person who can be identified, directly or indirectly. This includes any reference to an identifier, such as a name, location data, identification number, or to factors specific to the physical, mental, genetic, physiological, economic, cultural, or social identity of a person.
Online identifiers including IP addresses, cookies, pixels, and more are now regarded as personal data.
Debate about the type of consent required under GDPR has been keen, in particular for marketers. This is because a person’s consent needs to be freely given, specific, informed, and unambiguously indicate their wishes, either by a statement or by a clear affirmative action, signifying agreement to their personal data being processed. Organizations also need to make clear to a person what their data is going to be used for at the point of data collection.
Organizations processing the personal data of children under the age of 16 need to obtain parental consent to do so, unless member state law provides for a lower age not under 13.
A person should always be able to withdraw their consent, which should be as easy as giving it.
Pseudonymization and Further Processing Absent Consent
Pseudonymization transforms personal data so that it cannot be attributed to a specific person without additional information. One example of this is encryption, which makes data unintelligible without access to a unique decryption key. Pseudonymization is recommended to reduce the risks to data subjects and help data controllers and processors meet their data-protection obligations.
Some processing without consent is permitted to safeguard the protection of individuals’ rights and freedoms, national security, general public interest, and the detection, prevention, investigation, or prosecution of criminal offenses.
Organizations considering further processing without consent need to consider possible downstream consequences of the processing, the nature of the data, and whether there’s appropriate safeguards.
Data Protection Officers
If your organization controls or processes data, and your core activities consist of regular and systematic monitoring of personal data, or the processing of special categories of personal data on a large scale—such as that revealing political opinions, racial or ethnic origin, or religious or philosophical beliefs, then you must designate a data protection officer (DPO).
A DPO must have “expert knowledge of data protection law and practices” and access to your organization’s data processing personnel and operations. They require independence in performing their role, and must report directly to the highest management level of the organization. Absent conflicts of interest, they may perform other tasks and duties, and may also act for multiple subsidiaries as long as they are easily accessible to each one.
A data protection officer can be either an employee or a third party service vendor, and cannot be penalized or dismissed for performing their tasks.
Data Privacy by Design and Default
GDPR stipulates that data protection must be designed into the development of any new business products, services, or processes. All user settings must be set to default at maximum privacy (i.e. with no sharing), and data controllers must ensure that data processing complies with GDPR throughout the whole processing lifecycle. Mechanisms must be set to ensure personal data is only processed when necessary for each specific purpose.
Encryption and decryption operations must be carried out locally rather than remotely, so that both keys and data remain with the data owner to ensure their privacy. Outsourced, remote data storage (in the cloud) is practical and relatively safe, so long as only the data owner holds the decryption keys.
The GDPR strengthens and expands individuals’ right to control their data. One of these expansions is the requirement for data portability, which is designed to increase competition and lower the friction of changing providers. The principle of data portability simply stipulates that an individual has the right to transport their personal data from one organization to another. Accordingly, this data must be provided in an open format that is structured, commonly used, and machine-readable. When technically feasible, organizations must facilitate the transfer of an individual’s data to another organization upon request.
Data Breach Obligations
GDPR states a personal data breach is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Data controllers must notify the appropriate supervisory authority of a personal data breach without undue delay. This should be, where feasible, not later than 72 hours, unless the breach is likely to result in a risk to the rights and freedoms of individuals. (If the personal data breach is unlikely to result in a risk for the rights and freedoms of individuals, no notice is required.)
Note that the wilful destruction or alteration of data is considered to be as much a breach as theft is. If no notification is given within 72 hours, the controller must provide a “reasoned justification” for the delay.
When a personal data breach will likely result in a high risk to the rights and freedoms of individuals, the controller must communicate the personal data breach to affected data subjects “without undue delay.”
Erasure and the Right to Be Forgotten
Data controllers must inform people how long their data will be retained for, and why. People have the right to request that their personal data be erased without undue delay where the data is no longer necessary for the purposes collected, or if they withdraw consent, or if they object to data processing.
If an organization has made the data public, they must take reasonable steps to inform any other organization who is processing that data of the erasure request.
GDPR and Direct Marketing
Data processing for “direct marketing purposes” is considered a legitimate interest under GDPR. Such processing is lawful if “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
However, “direct marketing” has not been defined under GDPR, so it will pay to consider the precise nature of any proposed marketing activity to ascertain whether or not it will be covered under this principle.
DataIQ Director Peter Galdies muses that:
“It may, for example, mean that a simple mailing of similar goods and services to existing customers and prospects is completely legitimate without direct consent—but it certainly doesn’t include “profiling” for marketing purposes, which does require consent.”
GDPR defines profiling as the automated processing of personal data to determine criteria about a person. “In particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.”
Galdies notes that, “Full personalization and other ad-serving techniques for example, rely on a degree of selection normally built on profiles of behaviour or purchase—is explicit consent for this now required? It looks this way.”
People now have the right to opt out of profiling which produces legal effects on them, or otherwise significantly affects them. Automated decision making is legal where people explicitly consent to it, or if profiling is necessary under a contract between an organization and a person, or if profiling is authorized by EU or member state Law.
A One Stop Shop for all Your Regulation Needs
The GDPR introduces a ‘one stop shop’ system for organizations that operate across the EU, with a single set of rules that apply to all EU member states. Each state has an independent supervisory authority to hear and investigate complaints, to sanction administrative offences, and so on. These supervisory authorities are allowed to cooperate between countries, simplifying points of contact for businesses.
Organizations with multiple outlets in the EU will have a single supervisory authority as their “lead authority,” based on the location where their primary processing activities occur. This will be their “one stop shop.” However, for certain data processed in an employment context, and certain data processed for national security—local authorities can step in as well.
Administrative Fines and Enforcement
Organisations that do not comply with GDPR will be liable for significant fines.
Regulators can issue administrative fines of €10 million or two percent of an organization’s gross worldwide revenue for violations of record-keeping, security, breach notification, and privacy impact assessment obligations—whichever is higher.
Violations of obligations related to data processing (such as consent), data subject rights, transfers of personal data, or noncompliance with an order by the supervisory authority, can result in penalties of €20 million or four percent of an organization’s worldwide annual revenue—whichever is higher.
Planning Guidance for GDPR
For businesses that haven’t already started planning for GDPR, the best time to start was yesterday. The second best time is today. One of the first things any organization should do is get a compliance officer. They’ll be able to help analyze where the organization is at and create a plan to implement.
The second thing to do is to immediately perform a comprehensive audit, and benchmark everything the organization is currently doing. Marketers will need to undertake a content audit to analyze exactly where their current campaigns and strategy will need to be revised in order to comply with the GDPR.
Once an organization has conducted a comprehensive audit, they’ll need to create appropriate policies and procedures based on what the audit unearths and disseminate these widely and quickly.
The GDPR is a major piece of legislation that will affect every organization with a single customer, user, or data subject residing in the EU. It will require significant effort to comply with, and the fines for non-compliance are non-trivial. However, GDPR also offers organizations the opportunity to retool their approach to privacy in a way which offers opportunities to increase trust and expand their customer base. This is particularly true in countries not affected by the legislation, where GDPR compliance could offer a significant competitive advantage.
GDPR Influencers to Follow
If you want to get smarter about GDPR, consider following these 10 experts on Twitter:
Thomas Power | @thomaspower | London, UK
Eduardo Ustaran | @EUstaran | London, UK
David Clarke | @1DavidClarke | London, UK
HoganLovells Privacy | @HLPrivacy | Washington, DC
Ian Moyse | @imoyse | Reading, England
(ISC)2 | @ISC2 | Clearwater, FL
IT Governance | @ITGovernance | UK
ENISA | @enisa_eu | Greece
GDPR:Report | @GDPRReport | UK
EDPS | @EU_EDPS | Brussels, Belgium