Are you ready for the GDPR?
By now, you have likely heard of the GDPR: the General Data Protection Regulation, a European privacy law approved by the European Commission. The GDPR will replace a prior European Union privacy directive, which has been the basis of European data protection law since 1995.
A regulation such as the GDPR is a binding act, which must be followed in its entirety throughout the EU. The GDPR is an attempt to strengthen, harmonize, and modernize EU data protection law and enhance individual rights and freedoms, consistent with the European understanding of privacy as a fundamental human right.
The GDPR regulates, among other things, how individuals and organizations may obtain, use, store, and eliminate personal data. It will have a significant impact on businesses around the world.
Right to object: An individual may prohibit certain data uses.
Right to be forgotten: An individual may request that an organization delete all data on that individual without undue delay.
Right to rectification: Individuals may request that incomplete data be completed or that incorrect data be corrected.
Right of access: Individuals have the right to know what data about them is being processed and how.
Right of portability: Individuals may request that personal data held by one organization be transported to another.
When does it come into effect?
The GDPR was adopted in April 2016, but will officially be enforceable beginning on May 25, 2018. There will not be a “grace period,” so it is important that organizations impacted by the GDPR get ready for it now.
Who does it affect?
The scope of the GDPR is very broad. The GDPR will affect (1) all organizations established in the EU, and (2) all organizations involved in processing personal data of EU citizens. The latter is the GDPR’s introduction of the principle of “extraterritoriality”; meaning, the GDPR will apply to any organization processing personal data of EU citizens—regardless of where it is established, and regardless of where its processing activities take place. This means the GDPR could apply to any organization anywhere in the world, and all organizations should perform an analysis to determine whether or not they are processing the personal data of EU citizens. The GDPR also applies across all industries and sectors.
What is considered “personal data”?
Per the GDPR, personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Consider the extremely broad reach of that definition. Personal data will now include not only data that is commonly considered to be personal in nature (e.g., social security numbers, names, physical addresses, email addresses), but also data such as IP addresses, behavioral data, location data, biometric data, financial information, and much more. This means that, at least a majority of the information that you collect about your subscribers and contacts will be considered personal data under the GDPR. It’s also important to note that even personal data that has been “pseudonymized” can be considered personal data if the pseudonym can be linked to any particular individual. Sensitive personal data, such as health information or information that reveals a person’s racial or ethnic origin, will require even greater protection.
What does it mean to “process” data?
Per the GDPR, processing is “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Basically, if you are collecting, managing, using or storing any personal data of EU citizens, you are processing EU personal data within the meaning prescribed by the GDPR. This means, for example, that if any of your email lists contains the email address, name, or other personal data of any EU citizen, then you are processing EU personal data under the GDPR. Keep in mind that even if you do not believe your business will be affected by the GDPR, the GDPR and its underlying principles may still be important to you. European law tends to set the trend for international privacy regulation, and increased privacy awareness now may give you a competitive advantage later.
Overall, you need to know that under GDPR you have to have a lawful reason to process (use) data. There are 6 different legal bases with legitimate interest, fulfilling a contract or with consent as the most popular. For example, let’s talk about consent. Some of the big requirements when using consent are:
- It has to be specific about what you are using the data for.
- A privacy notice needs to be nearby.
- No pre-ticked boxes!
- It cannot be a condition of buying a product or service.
- You have to have record of the consent
- The user needs to easily withdraw consent
Do you need to comply with the GDPR?
You should consult with legal and other professional counsel regarding the full scope of your compliance obligations. Generally speaking, however, if you are an organization that is organized in the EU or one that is processing the personal data of EU citizens, the GDPR will apply to you. Even if all that you are doing is collecting or storing email addresses, if those email addresses belong to EU citizens, the GDPR likely applies to you.
What happens if you do not comply?
Non-compliance with the GDPR can result in enormous financial penalties. Sanctions for non-compliance can be as high as 20 Million Euros or 4% of global annual turnover, whichever is higher.
At Ideal Wild, we highly encourage you start your compliance efforts now, if you haven’t already. It is never too early to review your organization’s data privacy and security practices.
If you have any questions, please email us at firstname.lastname@example.org
Reference: European Commission