- Accounting , Higher Level Management , Regulatory ,
- 24 Feb
GDPR, The General Data Protection Regulation was approved by the EU Parliament on April 14th, 2016 and goes into effect May 25th, 2018. This regulation is intended to strengthen and unify data protection for individuals within the European Union. While this article doesn’t cover every minute detail, this is a good overview for understanding the GDPR by clarifying underlying concepts it represents.
But I don’t do live in the EU?
Clients and users all over the world will be affected by this. Other regulatory bodies across the world have taken notice of this and will continue to monitor both it’s successes and failures. If you plan to store or process Europeans’ information stored electronically, this affects you.
The GDPR is extra-territorial which means that you don’t have to live in the EU for it to affect you. It protects individuals within the EU regardless of where the company stores data, exists, pays taxes, etc..
The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data of 1981 as well as the Data Protection Directive of 1995 allow the EU to do this. If you want to dive more into the legal history and binding nature of the GDPR, we suggest you do more research outside of this article as we have to limit our scope for readability.
Key Concepts
We will start with a high level overview and then go into more detail. There are over 100 provisions to the GDP and this article is in no way exhaustive or to use as a reference to defend your company or product in a court of law.
DPO
A Data Protection Officer is required for companies that store or process large amounts of personal data even if it’s only information about internal employees. This authoritative person is responsible for the oversight of data collection, use, storage, and processing. This is a security leadership role for the entire company.
They are responsible for training, conducting audits, are point-of-contact for authorities and oversee everything contained in this article and much more.
Protection for Children
GDPR introduces parental consent for collecting children under the age of 16 and requires consent prior to collecting data on children. This addition is the E.U.’s version of the U.S.’s Children’s Online Privacy Protection Act of 1998 but with a much broader focus.
Required Response Time for Data Breach
Companies must report Data breaches to an EU regulator within 72 hours. Article 33 includes specific details and information on this.
The Spirit of the Regulation in 4 Questions
1. Are you lawfully processing personal data?
2. Are you respecting user’s data rights?
3. Are you meeting obligations as a Controller or Processor?
4. Are privacy rights part of the design of your products and process?
Let’s get into a little more detail about what these questions mean. Below we will explore in more detail what all this means.
Data Subject Rights
DSRs are rights given to individuals with the ability to say how companies use and store personal data. Therefore, people covered under GDPR can request companies delete the data they have on the person. The idea here is that Data Subject Rights puts the individual in control of what data companies have and consent on use of it, rather than companies collecting data without your consent.
1. Right to Be Forgotten
-You can request that companies delete your personal.
2. Right to Access
-You can request the data about you
3. Right to Portability
– You can ask companies what information they have on you
4. Right to Restriction of Processing
– An individual can require a company to stop processing personal data
5. Right to Rectify
– You can request a company correct data that a company has about you
6. The Right to Object
-You can object to processing personal data about you at any time
Lawfulness of Processing
Companies need to have legal basis for using, collecting, handling and storing personal data. This puts the onus on companies to prove why it’s necessary to have and use data about you.
There are many ways that companies can prove this but the three most common are:
Contractual Necessity
Some contracts make it necessary to collect data. For example, if you have a jogging app on your phone that uses your location data, the company needs to collect this data in order to fulfill it’s contract to you, the user. We see this outside of the EU, but the GDPR kicks it up a notch. It must be unambiguous and enhanced by affirmative action. This can bring up challenges to prove customer consent.
Legitimate Interest
Must balance companies interest, with your interest. For instance, a company needs enough information to process transactions in a way that prevents fraud, which outweighs your interest of basic information such as name and address.
Controllers and Processors
Companies fall into one of these two categories. Article 4 defines these categories:
(7) ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
(8) ‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Controllers decide how to process personal data. Processors process data for a different entity. Hence, you can think of Processors as a 3rd party adviser who processes on behalf of a Controller.
Extension of liability
Under the GDPR, your vendor’s mistakes can have consequences for your company. This is called unlimited liability. This is also in response to previous caps on fines. These are poor motivators and increases liability risks to both Processors and Controllers. GDPR states that individuals can claim material or non-material damages for non-compliance. This means that both Processors and Controllers will have to include greater liability caps in their contracts. Only if Controllers can prove to be completely fault free, can it avoid liability for Processor breaches under contract. This also can go the other way where a Processor can be fault-free if proven.
Final Thoughts
The GDPR helps protect people from the always present threat of data breaches and negligence. It’s a great step towards protecting the rights of individuals. This also increases risks for companies as it gives them a greater stake or liability over the management of your data. You may have seen some of the changes. For instance, this website uses a cookie consent across the bottom of the page to comply with GDPR.