What is more complicated than astrophysics, more widely discussed than celebrity gossip, and tougher than herding kittens? The General Data Protection Regulation (GDPR). Ok, it might not be as popular as celebrity gossip, but in the business world (especially the software world), this is the newest Kardashian.
GDPR is a law that was passed on April 27, 2016, and it goes into effect on May 25, 2018. It affects anyone who is doing business or providing goods or services to any business within the European Union (EU). The EU currently consists of Austria, Belgium, Bulgaria, Croatia, the Republic of Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, the Republic of Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the United Kingdom (https://www.gov.uk/eu-eea). The goals of this law are to make companies prioritize privacy and to protect consumers’ privacy in an active and thoughtful way. The GDPR implementation process is causing companies to rethink how they handle data, what data they handle, and the implications of their data collection and management practices. This law replaces the 1995 EU Directive that currently governs privacy regulations.
In this two-part blog series, we will provide a broad overview of the key elements of the GDPR. The first entry focuses on the fundamental concepts of the GDPR, and the second focuses on what companies should do to ensure compliance with the new regulations. Please note that you should consult an attorney if you have any specific questions.
To ensure you are up to date on all the latest watercooler talk (and no, I do not mean the latest celebrity gossip), it is helpful to examine the core principles of the GDPR. One important thing to consider is the origin of this law. The GDPR reflects the EU’s worldview that there is a fundamental right to privacy. This means they believe privacy is the intrinsic right of every human: every man, woman, and child deserves the right to privacy. In today’s technology-driven world, information is widely shared, and data breaches are common. The EU believes that privacy laws should adapt to the changing technological landscape, and they decided that applying stricter guidelines to companies who want to do business in the EU would be a good first step to help protect people’s privacy.
The New Playbook
At its heart, the GDPR is the new playbook that gives EU citizens control over their personal data. The EU has enacted the law to establish principles that protect consumers’ privacy: companies should safeguard people’s data, should not use it in any way that is not allowed by the person who owns the data, and should not keep people’s personal information longer than necessary. As an example, if a gentleman decides to order cable TV, he might need to have his credit card on file to pay the monthly bill. However, the TV provider must have adequate security protection (we will discuss what constitutes adequate protection below), may only keep the card on file while the gentleman is a customer and for a reasonable time afterwards, and may not sell the card to a marketing company to track cable providers.
What Does the Law Cover?
Next, we will examine what the GDPR covers. Under the law, “personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. This definition sounds like it comes from some law textbook, but simply put, it means that almost any piece of data you can find on a person is considered personal data and should be protected. This means that IP addresses, mobile device IDs, and the names of purchased products are all personal data.
Why Does GDPR Matter to You?
Money runs the world, and although it is not as exciting as celebrity gossip, financial considerations will compel businesses to comply with the GDPR. In addition to being the law within the EU, the GDPR can be very expensive if you choose not to follow it. This law holds businesses responsible for protecting personal data; companies must be financially accountable, and if there is negligence, then a company can be fined for failing to protect consumers’ information. Companies can be held accountable for the GREATER of either 4% of their global annual revenue or 20M Euros, whichever is higher.
Who Must Follow the GDPR?
If your company is located in the EU, markets to anyone in the EU, operates a website accessible to people in the EU, or provides goods or services to a human in the EU, then the GDPR applies. This means almost every corporation is subject to the GDPR and needs to take steps to ensure they are compliant. For software developers, this could affect how an app is set up, whether you want to distribute your product in the EU, and what sort of encryption levels you use. More importantly, as you launch new products or consider setting up a company, you should weigh the effects of the GDPR.
Big Ticket Bullets of the GDPR
- Not a “check the box:” The purpose of the GDPR is not to offer a “check the box” compliance piece but to protect a fundamental notion of privacy. Compliance with this law requires companies to sit down and review how they collect and manage data.
- Give people the right to data correction: This means you must offer people who have given you their information the ability to change or update their data.
- You must ask permission: You can only use data for things you have asked permission for. You cannot use data for any purposes other than those for which you have explicitly asked permission.
- How long you keep data: You cannot keep consumers’ data longer than is necessary. Check with your attorney on what that means for you and your business.
- You must have privacy as the default: All data should be encrypted, and privacy and information security should be your primary concerns by default. Security measures should be fundamental to your operations and should not merely be post-breach considerations.
- There is a right to be forgotten: If a person requests that you “forget” their information, you must do so within 30 days.
- Data breaches must be reported: the GDPR requires companies to report any data breach within 72 hours of becoming aware of the breach. If for any reason this requirement is not met, the reason for the delay must be explained when the report is made.
Where Can I Find More Information?
Attorneys all over the world are specializing in the GDPR; however, no one has been tested in court, so no one is truly an expert. Finding an attorney to help you and your corporation is a good first step, and examining the GDPR statute is a useful starting point. In our next post we will provide additional information.
Now that we have explored the basic elements of the GDPR, our next blog will focus on the more detailed aspects of the law. It may not be as spicy as celebrity gossip, but if it affects you and your business, I promise it is worth the read.
Nothing in this blog should be construed as legal advice. You should consult an attorney prior to making any legal decisions.