By: Hooman Yavi and Price Murry
The GDPR is the new data protection law that applies to any company or individual that collects or processes data from EU citizens. This includes “Controllers”, companies and individuals that collect and determine the purpose and means of processing personal data, and “Processors”, companies and individuals that process personal data on behalf of Controllers. The GDPR will be enforced starting May 25, 2018, and noncompliance can result in significant fines.
Why Does This Matter?
Failing to comply with the GDPR can carry heavy penalties. For serious misconducts, organizations found in breach of the GDPR can be fined up to 20 million Euros, or 4% of their global annual gross revenue (whichever is higher).
Even for mismanagement of data records in breach of the GDPR, an organization can be fined up to 10 million Euros, or 2% of their global annual gross revenue. Therefore, it is imperative to consults with a data privacy attorney to make sure your compliance efforts are proportional to your risks.
Who Does the GDPR Apply to?
The GDPR applies to any organization that routinely collects or processes personal information about European residents. Personal information is more than a name, address, or social security number. It can also include an IP address, so if your website tracks cookies of visitors you may be collecting personal information about European residents.
New Rights Created by the GDPR
The GDPR protects the personal data of EU citizens by creating new fundamental rights for individuals.
Right to Give and Withdraw Consent
Under the GDPR consent must be unambiguous, setting out the purpose for collecting the data and how it will be used. Data Subjects must also be able to retract their consent upon request.
Right of Portability
The GDPR introduces a new right of data portability. The right of data portability means that the Data Subject has the right to obtain a copy of all personal data which the Controller has collected from the Data Subject if:
- The processing is based on the Data Subject’s consent or on a contract; and
- The processing is carried out by automated means
Data Subjects have the right to:
- Transmit the data to another Controller without being hindered by the Controller to which the data was originally provided; and
- Receive data in a structured electronic format that is commonly used and permits further use by the Data Subject
However, the right of portability is limited if it adversely affects the right and freedoms of others. This generic rights and freedoms argument can be made by Controllers in defending their commercial objective of not sharing data with their competitors.
Right to Be Forgotten
The right to be forgotten, or the right of erasure, gives Data Subjects the right to require the Controller or Processor to erase any personal data without undue delay. The Controller must, upon request, erase personal data if:
- The data is no longer necessary for the purpose for which it was collected or processed
- The Data Subject withdraws consent and there is no other legal ground for processing the data
- The Data Subject objects to the processing of personal data for the purpose of carrying out public interest
- The Data Subject objects to the processing of their data for direct marketing purposes
- The personal data has been unlawfully processed
- The personal data has to be erased for compliance with legal obligations under EU or National Law to which the Controller is subject
- The personal data has been collected in relation to the offer of information of social services directly to children.
What is Required From My Organization?
Protect the Rights of EU Citizens
Organizations seeking to comply with the GDPR must implement several procedures designed to protect the rights of European citizens. Under the GDPR, Data Subjects have a right to:
- Know what data is being collected and for what purpose
- Withdraw consent for data processing at any time
- Ask for copies of all data collected about them at any time
- Ask to correct the data in case it is incorrect (once a request has been made, the data must be corrected immediately)
- Erase the data at anytime
- Object to certain data sets being processed
- Not be subject to automated processing
It is vital to deal with requests from Data Subjects within 30 days of receiving a request made and provide the requested information free of charge. However, you may charge a reasonable fee for “repetitive requests”, “manifestly unfounded or excessive requests” or “further copies.”
Provide Notification of Data Breaches Within 3 Days
Under GDPR, breach notification is mandatory, and Controllers and Processors must notify a local administrator of the data breach within 72 hours of first becoming aware of such breach.
To comply with notification requirements, the disclosure must at least:
- Describe the nature of the personal data breach, including categories and number of Data Subjects affected
- Communicate the identity and contact details of the Data Protection Officer
- Describe the consequences of the personal data breach
- Describe the measures proposed or taken by the Controller to address the personal data breach
If your company is unable to make a timely notification within 72 hours of the breach, you must provide a reasoned justification explaining the reason for the delay.
Provide Details About Who Was Affected and How
If the personal data breach is likely to risk the rights and freedoms of Data Subjects, the Controller must communicate the personal data breach to them without undue delay. The notification to Data Subjects must include:
- The identity and contact details of the Data Protection Officer or other points of contact where more information can be obtained
- The consequences of the data breach
- The measures proposed or taken by the Controller to address the personal data breach
However, this notification requirement is lifted if:
- The Controller has implemented technical protection measures and rendered the personal data unintelligible (such as through encryption)
- The Controller has taken subsequent measures which reduce the risk that the rights and freedoms of data subjects is endangered
- The notification would involve disproportionate efforts, in which case a public communication may be made to inform data subjects in an equally effective manner
Designate a Data Protection Officer
If your organization collects or processes data from EU citizens, then you may also have to designate a Data Protection Officer (DPO). The DPO is a separate and independent role within your organization that ensures compliance with the GDPR. He or she must create and implement policies, advise on the applicability of the rules, communicate with a European Data Protection Supervisor, and handle any queries, complaints, or investigations.
Your organization may need a DPO if:
- The core of your company’s activities consists of processing personal information, which require regular and systematic monitoring of Data Subjects on a large scale; or
- The core of your company’s activities include processing special categories of personal data on a large scale and data relating to criminal convictions and offences.
DPOs must be afforded independence, and:
- Should not receive any instructions regarding performance of their duties
- Should be protected from conflicts of interest
- Should not be a short-term or contract employee
- Should not report to a direct superior
- Should have responsibility for managing their own budget
The role of the DPO is to:
- Ensure that the organization processes personal data in compliance with the GDPR
- Advise on the interpretation or application of data protection rules
- Communicate directly with the European Data Protection Supervisor (EDPS) about risks
- Manage crises, cooperate with EDPS during investigations, and handle queries and complaints
How Can My Organization Comply?
Without proposing a one-size-fits-all solution to becoming compliant with the GDPR, additional solutions that Controllers may consider include:
- Determine what data is collected, how it is used and where it is stored and processed
- Perform an impact assessment and gap analysis on your collection and processing practices
- Hiring outside vendors to monitor and secure data and processes
- Institute automated breach detection systems that can also determine the extent of the breach
- Institute new guidelines and procedures that can assess where critical information is kept and whether it is at risk
Although the GDPR applies to companies that collect data from EU Citizens, EU Nations may impose additional data protection requirements. To ensure that your company is compliant with the GDPR and additional data protection laws, consult your data protection attorneys.