The General Data Protection Regulation Reaches Far Beyond the EU
October 23, 2018
By: Samantha M. D'Anna
The European Union’s1 General Data Protection Regulation (“GDPR”),2 effective May 25, 2018, has created a shift in data privacy regulation. As the economy has become more globalized, political officials in EU member nations are concerned that their citizens’ personal data has been exploited without their knowledge or approval by companies around the world.
What is the GDPR?
Adopted in April 2016, the GDPR is a regulation by which the European Parliament, the Council of the European Union, and the European Commission are attempting to strengthen and unify data protection for all individuals within the European Union. However, the GDPR can be applied outside of the EU’s borders to any company that markets goods or services to EU residents, regardless of its location.3 The GDPR requires businesses that control4 or process5 personal data of EU citizens to protect that personal data. Personal data includes any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This definition encompasses a wide range of data, including: name, identification number, location data or online identifier. Additionally, personal data that has been pseudonymised – or key-coded – can fall within the scope of the GDPR, depending on how difficult it is to attribute the pseudonym to a particular individual.
The GDPR is comprised of ninety-nine articles that provide privacy rights for EU citizens and place corresponding obligations on companies around the world. These rights and obligations include (a) granting EU citizens easier access to the data companies hold about them, (b) imposing new fines for noncompliance and (c) requiring organizations to obtain the consent of EU citizens to collect their information.
The GDPR requires companies to implement protection measures, as well as create a corporate structure with a culture of compliance. In the event of an investigation by an EU Supervisory Authority, a corporation subject to the GDPR will need to show not only that it has comprehensive data privacy policies and procedures in place but also that it follows them.
The GDPR imposes these requirements to decrease the likelihood of a data breach; however, if a data breach does occur despite compliance with the GDPR, proof of efforts to comply with the GDPR will reduce the chances of suffering a severe financial penalty6 by the EU following an investigation.
What are the key concepts?
1. Breach Notifications
Under the GDPR, breach notifications are now mandatory in all member states where a breach is likely to “result in a risk for the rights and freedoms of individuals.” This must be done within seventy-two hours of becoming aware of the breach. Data processors are also required to notify their customers, the controllers, “without undue delay” after becoming aware of a data breach.
2. Right to Access
Data subjects have the right to obtain information regarding their data. Under the GDPR, EU Citizens have the right to obtain:
a) Confirmation that their data is being processed;
b) Access to their personal data; and
c) Other supplementary information.
Additionally, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
3. Right to be Forgotten
Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his or her personal data, halt further dissemination of the data and potentially stop other parties from processing the data. Article 17 sets out the conditions for erasure, including:
a) Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
b) When the individual withdraws consent.
c) When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
d) The personal data was unlawfully processed (i.e., otherwise in breach of the GDPR).
e) The personal data has to be erased in order to comply with a legal obligation.
f) The personal data is processed in relation to the offer of information society (management) services to a child.
4. Data Portability
The right for a data subject to have the personal data concerning them transmitted to another controller.
5. Privacy by Design
Privacy by design requires data protection from the time systems are designed, as opposed to adding security measures later on. Article 23 states that “[t]he controller shall . . . implement appropriate technical and organisational measures . . . in an effective way . . . in order to meet the requirements of this Regulation and protect the rights of data subjects.” This requires controllers to hold and process only the data necessary for the completion of its duties, as well as limiting access to personal data to those needing to act out the processing.
6. Data Protection Officers
The GDPR imposes certain record keeping requirements and requires a Data Protection Officer (“DPO”) to be appointed in some instances. Under Article 37, DPOs must be appointed in the case of (a) public authorities, (b) organizations that engage in large scale, systematic monitoring or (c) organizations that engage in large scale processing of sensitive personal data.
How do I comply with the GDPR?
1. Reduce unnecessary data collection—Take stock of the data you are collecting from customers and why. Gather only the data you need, and limit the collection and retention of that data to fit the limited purposes of collection.
2. Obtain appropriate consent.7 — Processing personal data is generally prohibited unless it is expressly allowed by law or the data subject has consented to the processing. Consent must be freely given, specific, informed and unambiguous.8
3. Provide the required notice for data collection—Review and update current privacy notices, policies, and any information provided at data collection points.
4. Remove unique identifiers—Consider when to make some data anonymous or use pseudonyms to help minimize compliance obligations and the risk of data and privacy breaches and claims.
5. Fulfill data access and delete requests—Understand how customers will make data accessible or delete requests. Know how to define internal data retention and deletion policies and procedures.
Author: Samantha M. D’Anna, Associate, Health Care Industry Group
© October 2018 Jackson Kelly PLLC
1 The EU is an economic and political union of twenty-eight countries that operates an internal (or single) market, allowing free movement of goods, capital, services, and people between member states. Current EU countries include Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom (scheduled to depart the EU at 11:00 PM on March 29, 2019).
2 The GDPR replaced the Data Protection Directive 95/46/EC of 1995.
3 See GDPR Article 3.
4 A controller is an entity that decides the purpose for which and manner in which personal data will be used. If you are a controller, you are not relieved of your obligations where a processor is involved. The GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
5 A processor is the person or group that processes the data on behalf of the controller. Processing is obtaining, recording, adapting or holding personal data. If you are a processor, the GDPR places specific legal obligations on you.
6 Organizations can be fined up to four percent of annual global turnover for breaching the GDPR or €20 Million (around $24,000,000).
7 The basic requirements for the effectiveness of a valid legal consent are defined in Article 7 and specified further in recital 32 of the GDPR.
8 For additional details and requirements regarding consent, please visit https://gdpr-info.eu/issues/consent/.