In May 2018, the European Union will begin enforcing the General Data Protection Regulation or GDPR. If you have not heard of this before, consider this an introduction, because as we get closer to May 2018, there will be more and more discussions about data privacy and protection and what GDPR compliance is and how it may end up affecting virtually everyone.
What is General Data Protection Regulation (GDPR)?
The current Data Protection Directive 95/46/EC which was created in 1995 is not equipped to deal with the explosion of social media and the extensive data sharing that occurs today. So, in 2012, the EU began the process of defining new regulations. Those new regulations would end up being defined as the General Data Protection Regulation, or GDPR.
One of the primary objectives of the GDPR is to enhance data protections rights, aka give people more control over their personal data. The other primary objective is to consolidate all of the different regulations, laws, and guidelines across European Union member states into a single, central source. By consolidating, the GDPR’s aim is to streamline and create a clearer legal environment which will hopefully improve business opportunities and lessen ambiguity with sharing data.
A key thing to understand with GDPR is that it is a regulation whereas the older guidance was a directive. The difference between the two is that a regulation is a binding legislative act and is enforceable by law and the data protection directive is a set of goals that must be achieved, but it is up to each country to decide how they plan to meet the directive.
Who Does it Affect?
Any organization which handles EU citizen information is in scope, regardless of where the organization is based. This means, if your organization uses, processes, shares, stores the data of EU citizens you must comply this new regulation.
As a note to the scope, if your organization employs fewer than 250 persons there is a clause that allows your organization to not be required to comply with GDRP, but there are a lot of caveats to this. Below is an excerpt from section 4(b) from the GDPR:
“…an enterprise or a body employing fewer than 250 persons, unless the processing it carries out is likely to result in a high risk for the rights and freedoms of data subject such as (…) discrimination, identity theft or fraud, unauthorized reversal of pseudonymisation, financial loss, damage to the reputation, loss of confidentiality of data protected by professional secrecy or any other economic or social disadvantage for the data subjects, taking into account the nature, scope, context and purposes of the processing.”
So while at first look, your organization may be exempt, with all the caveats defined, it is more likely than not that your organization will still be required to comply with GDPR.
When Will GDPR Be Enforced?
Discussions between the European Parliament, Council of the European Union, and the European Commission began in in 2012. The regulation was finally approved after 4 years of debate and preparation and was adopted on April 14, 2016. GDPR replaces the current data protection directive (Directive 65/46/EC) that was enacted in 1995 and new GDPR regulation will become enforceable from May 25, 2018.
As with all regulations, there are sanctions and fines that can be imposed if an organization fails to comply. These sanctions are documented in Article 83. Below is a very high level breakdown of the GDPR sanctions that may apply:
- A warning in writing in cases of first and non-intentional non-compliance
- Administrative fines
- A fine up to 10 million EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
- A fine up to 20 million EUR or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater
What is Considered Personal Data?
In order to understand the scope of the GDPR, one has to understand what the GDPR defines as “Personal Data.” “‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;” (Article 4(1)) This basically covers anything from a name, a photo, an email address, bank details, social media posts, medical information, or even computer’s IP address.
This definition greatly expands the scope of what is considered personal data today. For many organizations, this update does not change much for them, but for online businesses that specialize in analytics, advertising, and social media, there will be a significant impact. This is because the definition of personal data now includes “location data” and “an online identifier.” According to FieldFisher this means that “Non-EU advertising, analytics and social media platforms will likely find themselves legally required to treat these identifiers as personal data protected by European law, just as their European competitors are, and need to update their policies, procedures, and systems accordingly – that, or risk losing EU business and attracting European regulatory attention. However, they will likely take (some) comfort from GDPR provisions allowing for data profiling on a non-consent basis if data is pseudonymized.”
High Level Controls and GDPR Requirements
The GDPR contains 11 chapters and 99 articles. For the detailed information for each item, the website gdpr-info.eu provides a breakdown of the regulation by chapter and article.
In the interest of time and space, there are a lot of details and information in the GDPR that I am not going to cover. But, I wanted to point to a couple specific chapters of significance as these fundamentally change how data is handled today.
Chapter 3 contains eleven articles that pertain to the rights of the data subject, a living individual to whom personal data relates. These articles define topics like; the right to be informed, the right of access, rectification, erasure, the right to object, etc. Of the all the rights listed, the right of erasure or “Right to be forgotten” is the most gray and open to interpretation.
The Right of Erasure, Article 17, defines that a data subject has the right to have the controller erase personal data and take reasonable steps to inform 3rd parties to erase the data as well. No longer can you flag a user in your database as inactive or “do not contact.” According to the GDPR, this data now has to be purged from the system if the individual requests for that data to be removed.
There are a lot of discussions around this particular article, as it is still a fairly gray area since it is not entirely known what will happen with regards to social media; can or should a data subject have the right to delete their social commentary/digital self or is that data considered public knowledge. It will be interesting to see how this will play out in the courts, as removing old posts, old accounts, and possibly trying to hide past your poor decisions has been desired for some time but raises a lot of moral and legal questions.
Chapter 4 contains twenty articles that pertain to the roles and responsibilities of the data controllers and processors. These articles define topics like; data protection, security of processing, notification of breach, and sanctions. Under GDPR both controllers and processors can be held responsible in the event of negligence of personal data security or not complying with requirements. As discussed earlier in this post, sanctions applied could range from a warning all the way to 4% of the total annual turnover or €20 million, whichever is higher.
Controllers and processors will have more stringent security controls enforced as well as being required to better define data flow and provide the functionality to meet all the requirements defined under chapter 3.
In a recent survey from PWC, “nearly all of the respondents (92%) considered compliance with Europe’s landmark General Data Protection Regulation (GDPR) a top priority on their data-privacy and security agenda in 2017 – with over half of respondents saying it is “the” top priority and 38% saying it is “among” top priorities.”
While GDPR is a EU regulation it is poised to be revolutionary and force better transparency and controls for the use and release of personal data throughout the world. If your organization processes, stores, or uses any data from EU citizens, you will be required to comply with the GDPR. If you have not already begun looking into this new regulation, it is highly recommended to start now. If you have any questions about GDPR, feel free to contact Linford & Company.
Additional Information and Links
I wanted to point to some additional links and sites that can help you understand GDPR, terminology, common misconceptions, etc.
Beginners guide to GDPR: https://www.vpngeeks.com/beginners-guide-gdpr
GDPR Agreed Upon Text: http://data.consilium.europa.eu/doc/document/ST-5419-2016-INIT/en/pdf
Publication from Fieldfisher LLP. “The general data protection regulation: A myth-buster:” https://www.henrystewartpublications.com/sites/default/files/Pickering.pdf
Top 10 operational Impacts of the GDPR: https://iapp.org/resources/article/top-10-operational-impacts-of-the-gdpr/
Highlights the key themes of the General Data Protection Regulation (GDPR): https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
Linford & Co., LLP, founded in 2008, is comprised of professional and certified auditors with specialized expertise in SOC 1, SOC 2, HIPAA, HITRUST, FedRAMP and royalty/licensing audits. Our auditors hold CPA, CISA, CISSP, GSEC licenses and certifications. Learn more about our company and our leadership team.