I. What is the GDPR and Why Does it Matter?
The General Data Protection Regulation (GDPR) was adopted on April 14, 2016, and became enforceable beginning May 25, 2018, replacing its weaker predecessor Data Protection Directive 95/46/EC. The GDPR codifies privacy laws for all individual citizens and businesses of the European Union (EU) and the European Economic Area (EEA), but provides flexibility for certain aspects of the regulation to be adjusted by individual member countries. It also addresses the transfer of personal data outside the EU and EEA areas, which extends its jurisdiction to any company doing business with or processing the personal data of a citizen of the EU, regardless of the company's location.
II. Key Terms and Provisions of GDPR
The GDPR outlines the rights of individual data subjects, and the obligations of the businesses that control or process their personal data. The GDPR defines personal data as any information related to a natural person (data subject) that can be used to directly or indirectly identify that person. This can include a name, a photo, an email address, bank details, posts on social networking websites, medical information, or even a computer IP address.
A. Clear Notice and Consent
Under the GDPR, before processing any personal data, a business must ask for explicit permission from the data subject using clear language. The consent must be given for a specific purpose and must be requested separately from other documents and policy statements. Furthermore, it must be as easy to withdraw consent as it is to give it. Under the GDPR, an organization cannot obtain continuous blanket consent. A new request for consent is required each time data is used for a new purpose.
B. Information, Access and Transfer
Article 15 gives citizens the right to access their personal data and information about how this personal data is being processed. Under GDPR, a data subject can request a copy of the actual data being processed. Furthermore, a data controller must provide an overview of the categories of data that are being processed, the purposes of the data processing, any parties with whom the data is shared, and means of data collection.
The GDPR also mandates data portability for data subjects. A data subject must be able to transfer personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller.
C. Right to object and automated decisions
The GDPR also provides data subjects with certain rights as to the uses of their personal information, allowing them to object to use for marketing, sales, or non-service-related purposes. A company must inform individuals of their right to object from the first communication. However, each objection is to be looked at individually, and an organization does not have to apply these objection rules if the data processing meets one of the following criteria:
- Legal or official authority is being carried out,
- Legitimate interest where the organization needs to process data in order to provide you with a service you signed up for.
- A task being carried out for public interest.
They can also refuse a request if the objection request is 'manifestly unfounded' or 'excessive'.
D. Right of Erasure
A complete right to be forgotten was refined down to a more limited right of erasure in the GDPR. Under this rule, a data subject has the right to request erasure of personal data related to them on certain grounds within 30 days. At that point, the company will stop processing and cease any further dissemination of the data. Valid grounds for erasure include situations where the data is no longer relevant, or the original purpose has been satisfied, or merely a data subject's subsequent withdrawal of consent.
E. Privacy by Design
The GDPR mandates organizations to Privacy by Design principles and implement appropriate technical and organizational measures to protect the rights of data subjects. This provision limits a data processor to collection and use of only the data absolutely necessary for the completion of its business and limit access to personal data to only those employees needing the information to complete the process consented to by the data subject.
Another important security measure outlined in GDPR is pseudonymization, a process required when data is stored to transform it in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. Common examples of these tools are encryption and tokenization.
F. Breach notification
The GDPR requires companies to notify all data subjects of a security breach within 72 hours of discovery of the breach. The method of this notification will include as many forms as deemed necessary to disseminate the information in a timely manner, including email, telephone message, and public announcement.
A key carve out however, is that the notice to data subjects is not required if the data controller has implemented appropriate technical and organizational protection measures that render the personal data unintelligible to any person who is not authorized to access it, such as encryption (Article 34).
G. Data Protection Officers
The GDPR requires organizations to designate a Data Protection Officer (DPO) to oversee the application of the GDPR and to protect personal data from misuse and unauthorized access and other security breaches. Organizations based outside the EU must also appoint an EU-based person as a representative and point of contact for their GDPR obligations (Article 27).
The penalties laid out for violations of GDPR are significant. Under the law, organizations found to be in violation can be fined up to 4% of annual global revenue, or 20 Million Euros, whichever is greater.
The most notable recent enforcement actions include Google’s January 2019 fine of 50 million euros assessed by the French Data Regulator (CNIL). The CNIL found that Google was in violation of Article 21 of GDPR because the company had not sufficiently informed users about how they were collecting personal data in order to use this in line with personalized advertising.
Other significant enforcement actions include the UK’s ICO levying fines of €110,390,200 on Marriott International, Inc. and €204,600,000 on British Airways in July of 2019. Both companies were found to be in violation of GDPR Article 32, for having insufficient technical and organizational measures to ensure information security after a breach.
IV. GDPR at Year One
The initial year of GDPR implementation has brought progress and difficulty. Companies are still struggling to achieve compliance, but the breach reporting mandate has resulted in increased efforts to improve data security and avoid human error.It has also brought greater public awareness, with European Internet users exercising their rights under the GDPR and demanding more data security and transparency from companies.