The General Data Protection Regulation (GDPR) was adopted by central EU governmental authorities to augment and supersede the previous Data Protection Directive which came into effect in 1995. Chances are, if you are doing business in the EU and your website was created by a professional development team, your website likely follows many of those recommendations already. Importantly, the guidelines of the Data Protection Directive were just that – a set of guidelines.
But the GDPR was passed and authorized in 2016 by three governing bodies of the European Union – the European Commission, the Council of the European Union, and the European Parliament. That means that not only have the guidelines been updated significantly, but the GDPR has the force of law and regulation. It goes into full effect on May 25, 2018, and failure to comply carries penalties.
We’ve helped a lot of companies comply with governmental guidelines and regulations, and the purpose of this article is to provide business leaders with a summary of what is changing with the new regulations and why it matters. At the end of the article we will provide a list of links to resources where you can dig deeper. But as always, if you have any specific questions about how this applies to your website and business, we will also provide a link to contact our team for more information.
Key Updates and Changes to EU Data Privacy Regulation in the GDPR
Applies to Virtually Every Company
Perhaps the most important change in the GDPR is how it clears up which businesses are required to follow its rules. Previously, some of the privacy directive guidelines could be interpreted to apply only to businesses located in the EU and under its immediate jurisdiction. Under GDPR, the rules and regulations apply as protections on the subjects of data collection … individual residents.
This is a big change.
The new data protections in the GDPR apply to every person (data subject) residing in the European Union, whether or not that person was in the EU at the time the data was collected and no matter where the data was processed. Let’s review an example.
Let’s say a resident of France – an EU member state – enters their personal data on your business website while on a cruise in international waters and your business processes that data in its corporate office in New York and stores that data in a globally-redundant public cloud. Under the old rules, it might be ambiguous as to what jurisdiction or set of privacy rules apply to that personal data. Under GDPR, no matter what other regulatory or legal jurisdictions apply, it clearly states that your business is required to follow the data protection regulations set out in the GDPR.
It is possible for a business to geographically limit who visits their websites. And it is certainly possible to exclude EU residents from promotional ads, offers, and sales. But such things are exceptionally rare. This means that virtually all businesses with international exposure that collect personal data and that might include EU residents are subject to the new privacy regulations in the GDPR.
Potential GDPR Compliance Penalties
The GDPR imposes harsh penalties for repeat offenders. There is a tiered approach to fines based on the number of violations. IMPORTANTLY, the fines are NOT calculated on harm or damages.
For example, in most of the United States, if you hurt someone in an accident, it is likely that you – or your insurance company – will pay a civil penalty based upon “damages” incurred. This is usually a two or three times multiple of medical costs, lost wages/property, and suffering. In a lawsuit, it is not uncommon for a judge to dismiss a case because no real or substantial harm has been found to be done.
The penalties associated with violations of the GDPR are based upon the company’s ability to pay as determined by a percentage of revenue – up to 4% of annual global turnover with a maximum fine of EU €20 million. If you are a small business and commit a small violation, your penalty might be a few thousand Euros. If you are a larger organization committing the same violations, your penalty can be many times greater. In no case is it required for the government to prove that a resident has been harmed by a business’ failure to comply with any regulation. The failure to comply is reason enough and penalty funds are paid to the EU.
Acquiring Data Consent
Previously, the guidelines around acquiring the consent of website users for the capture and processing of personal information could be more passive. Things like legally-dense Terms of Service documents and website cookie notifications were sufficient.
New rules for consent under GDPR are greatly strengthened. Information about consent must be active and descriptions of what kinds of data processing and how that data will be used must be clearly stated in common terms. Further, there must be a clearly visible and accessible process for withdrawing consent as well.
There is one other important observation that we should list up front. The GDPR legislation repeatedly uses the term “EU residents” as opposed to “citizens.” We are not legal scholars, but in our opinion, this implies that the GDPR is applicable to anyone residing in an EU member state – including migrants and foreign workers.
New Individual User “Rights” Under the GDPR
The news has been full of stories of large companies that have had a data breach and then kept that information quiet for several days – or even months in the most notorious cases. Under GDPR, companies are required to notify the government and individuals within 72 hours of any and all cases where a breach occurred that is likely to result in a “risk for the rights and freedoms of individuals.”
Rights of Data Access, Data Portability, and Data Erasure – Who “Owns” the Data
Under GDPR every individual has the right to be informed – upon request – if their data is being used or processed, where it is stored and processed, and for what purpose that data is being used. Further, they have the right to be provided an electronic copy of all the data collected about them by the company. The new right of data portability adds that individuals can take that information – provided by the business – and share it with other companies and individuals as they see fit.
GDPR requires another uniquely new process – the individual’s right to have their particular data erased. In the common language of the internet, some refer to this as “the right to be forgotten.” This has never been codified into law before and it is an important innovation in data privacy and many of us are waiting to see how governments enforce it and how the markets respond to it.
The right of erasure is just like it sounds. Upon request, individual EU residents have the right to have their data “erased” from company systems. The GDPR regulation goes on to say that individuals have the right to insist that the business stop processing and disseminating their information. Importantly, this regulation can potentially apply to third-party organizations that have agreements with the business.
In other words, just because a business collects and “processes” the data of individual persons – even with verifiable consent – it does not mean that the business “owns” the data. The ownership of the personal data stays with the individual. Just mention this little tidbit to anyone on your IT or marketing teams and watch their faces blanche white with the sweeping implications.
For most businesses, supporting GDPR’s rights of data access, data portability, and data erasure (the right to be forgotten) will require setting up significant new procedures and processes.
Data Privacy Infrastructure and Architecture – “Privacy by Design”
This series of regulations are the ones we think might be the most problematic, the hardest to enforce, and – quite frankly – not well thought out at this point. The concept is that businesses should make data privacy a core objective and specification for all systems that collect, store, and process individual personal information. And that sounds like a good idea.
The problem is that this regulation suggests that there be a preference for built-in solutions as opposed to bolting privacy and security measures on existing systems after the fact. In the age of specialization and the cloud, this seems to fly in the face of current innovation trends. Why build a customer data privacy app yourself when there is an affordable, industry-standard software as a service (SaaS) solution available? And why would a business hard-code a privacy and security solution into their application when another innovation may just be around the corner?
To be clear, here at ICG we build compliance, data protection, and security into everything we do. They are always top-of-mind for us, so we strongly support the intent of this new “Privacy by Design” GDPR regulations. But from a practical standpoint, our first reading of these related regulations leaves too much ambiguity and subjective interpretation of the new law. We expect a series of court cases to follow its enactment as the intent is resolved with real-world practice and implementation.
Corporate Compliance and Data Protection Officer
Under current regulations, companies doing business in the EU have to report a wide range of items to the Data Protection Authorities (DPAs) of each EU region. If you have done business in multiple EU jurisdictions, you understand this to have been an innovation-stifling bureaucratic nightmare. On the plus side, the GDPR does away with most of that.
Instead, the GDPR insists that organizations have a Data Protection Officer (DPO) who is structurally – and potentially civilly – responsible for GDPR compliance and reporting. There are several requirements and stipulations for this DPO, including their appointment being due to professional skills and qualities, having no conflicts of interest, and that they report directly to the “highest levels of management,” along with several other requirements. The DPO will be specifically responsible for all notifications, filings, and record keeping related to the GDPR while also serving as the official point of contact for government and individual privacy and data security complaints.
If your business is already compliant with the spirit and intent of the various EU directives, the implementation of the new GDPR regulations will be a combination of relief and a bit of extra work to comply. If your business has not been complaint up until now, then time is running out and you should act immediately to bring your operations up to the new standards.
In any event, if you need help understanding or implementing the GDPR regulations in your environment, use our contact form and let us know. We’d be happy to share our experience and help.
Thanks for reading.
Additional Links and Resources
A searchable, digital version of the new GDPR requirements and regulations:
The official GDPR website for reference:
A summary of the GDPR on Wikipedia:
A summary of the preceding EU data privacy directive on Wikipedia:
An article in The Guardian newspaper in the UK that provides a good overview: