What is more complicated than astrophysics, more widely discussed
than celebrity gossip, and tougher than herding kittens? The General Data
Protection Regulation (GDPR). Ok, it might not be as popular as celebrity
gossip, but in the business world (especially the software world), this is the
GDPR is a law that was passed on April 27, 2016, and it goes into
effect on May 25, 2018. It affects anyone who is doing business or providing
goods or services to any business within the European Union (EU). The EU
currently consists of Austria, Belgium,
Bulgaria, Croatia, the Republic of Cyprus, the Czech Republic, Denmark,
Estonia, Finland, France, Germany, Greece, Hungary, the Republic of Ireland,
Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal,
Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom (https://www.gov.uk/eu-eea). The goals of this law are to make companies prioritize privacy and to
protect consumers’ privacy in an active and thoughtful way. The GDPR
implementation process is causing companies to rethink how they handle data,
what data they handle, and the implications of their data collection and
management practices. This law replaces the 1995 EU Directive that currently
governs privacy regulations.
In this two-part blog series, we will provide a broad overview of
the key elements of the GDPR. The first entry focuses on the fundamental
concepts of the GDPR, and the second focuses on what companies should do to
ensure compliance with the new regulations. Please note that you should consult
an attorney if you have any specific questions.
To ensure you are up to date on all the latest watercooler talk
(and no, I do not mean the latest celebrity gossip), it is helpful to examine the
core principles of the GDPR. One important thing to consider is the origin of
this law. The GDPR reflects the EU’s worldview that there is a fundamental
right to privacy. This means they believe privacy is the intrinsic right of
every human: every man, woman, and child deserves the right to privacy. In
today’s technology-driven world, information is widely shared, and data
breaches are common. The EU believes that privacy laws should adapt to the
changing technological landscape, and they decided that applying stricter
guidelines to companies who want to do business in the EU would be a good first
step to help protect people’s privacy.
At its heart, the GDPR is the new playbook that gives EU citizens
control over their personal data. The EU has enacted the law to establish principles
that protect consumers’ privacy: companies should safeguard people’s data, should
not use it in any way that is not allowed by the person who owns the data, and should
not keep people’s personal information longer than necessary. As an example, if
a gentleman decides to order cable TV, he might need to have his credit card on
file to pay the monthly bill. However, the TV provider must have adequate
security protection (we will discuss what constitutes adequate protection
below), may only keep the card on file while the gentleman is a customer and
for a reasonable time afterwards, and may not sell the card to a marketing
company to track cable providers.
the Law Cover?
Next, we will examine what the GDPR covers. Under the law, “personal
data” means any information relating to an identified or identifiable natural
person (“data subject”); an identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, location data, an online identifier,
or one or more factors specific to the physical, physiological, genetic,
mental, economic, cultural, or social identity of that natural person. This
definition sounds like it comes from some law textbook, but simply put, it
means that almost any piece of data you can find on a person is considered
personal data and should be protected. This means that IP addresses, mobile
device IDs, and the names of purchased products are all personal data.
Why Does GDPR
Matter to You?
Money runs the world, and although it is not as exciting as
celebrity gossip, financial considerations will compel businesses to comply
with the GDPR. In addition to being the law within the EU, the GDPR can be very
expensive if you choose not to follow it. This law holds businesses responsible
for protecting personal data; companies must be financially accountable, and if
there is negligence, then a company can be fined for failing to protect consumers’
information. Companies can be held accountable for the GREATER of either 4% of their
global annual revenue or 20M Euros, whichever is higher.
Follow the GDPR?
If your company is located in the EU, markets to anyone in the EU,
operates a website accessible to people in the EU, or provides goods or
services to a human in the EU, then the GDPR applies. This means almost every
corporation is subject to the GDPR and needs to take steps to ensure they are
compliant. For software developers, this could affect how an app is set up, whether
you want to distribute your product in the EU, and what sort of encryption
levels you use. More importantly, as you launch new products or consider
setting up a company, you should weigh the effects of the GDPR.
Bullets of the GDPR
- Not a “check the box:” The purpose of the GDPR is not to offer a “check
the box” compliance piece but to protect a fundamental notion of privacy.
Compliance with this law requires companies to sit down and review how they collect
and manage data.
- Give people the right to data correction: This means you must offer
people who have given you their information the ability to change or update their
- You must ask permission: You can only use data for things you have
asked permission for. You cannot use data for any purposes other than those for
which you have explicitly asked permission.
- How long you keep data: You cannot keep consumers’ data longer
than is necessary. Check with your attorney on what that means for you and your
- You must have privacy as the default: All data should be
encrypted, and privacy and information security should be your primary concerns
by default. Security measures should be fundamental to your operations and
should not merely be post-breach considerations.
- There is a right to be forgotten: If a person requests that you “forget”
their information, you must do so within 30 days.
- Data breaches must be reported: the GDPR requires companies to
report any data breach within 72 hours of becoming aware of the breach. If for
any reason this requirement is not met, the reason for the delay must be
explained when the report is made.
I Find More Information?
Attorneys all over the world are specializing in the GDPR;
however, no one has been tested in court, so no one is truly an expert. Finding
an attorney to help you and your corporation is a good first step, and examining the GDPR statute is a useful
starting point. In our next post we will provide additional information.
Now that we have explored the basic elements of the GDPR, our next
blog will focus on the more detailed aspects of the law. It may not be as spicy
as celebrity gossip, but if it affects you and your business, I promise it is
worth the read.
Nothing in this blog should be construed as legal advice. You should consult an attorney prior to making any legal decisions.