Why May 25 Will Change the Game
After Mark Zuckerberg’s appearance before the US Congress for Facebook’s data-mining practices, one could say that the European Union has its finger on the pulse:
As of 25 May 2018, the EU’s General Data Protection Regulation (GDPR) will come into effect. You might have heard about it in the news recently. But do you know in detail what the GDPR is about and how it may impact your business?
We took a closer look at the regulation and summarized the main points below to help you determine if it is relevant for you and, if so, what is required of you to ensure compliance. Of course, our outline is only a guide and does not serve as legal advice. If you are unsure about the GDPR’s implications for your business, we encourage you to seek professional legal help.
1. The GDPR in a nutshell
The GDPR is designed by the EU Parliament to harmonize data privacy laws across Europe. It aims to protect and empower all EU citizens' data privacy by increasing the protection of personal data. The EU Parliament defines “Personal data” as follows:
“Any information related to a natural person or ‘Data Subject,’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
Any organization (see point 2) that is non-compliant with this regulation may face substantial fines (up to 4% of the annual global turnover or up to €20 Million). Be sure to understand your responsibilities so that you put all necessary measures in place, in time.
2. Who will be affected by the GDPR?
The regulation aims to protect EU citizens’ personal data. Hence, it affects not only European companies but also non-European companies that have an establishment within the EU or that process personal data of EU citizens.
3. The main points of the GDPR
+ Consent: If there is no lawful basis for the use of personal data, it is required that the persons’ consent to the data processing is given. Otherwise, the personal data cannot be used.
E.g.: It is unlawful to use personal data to send out newsletters without seeking and receiving prior consent of the recipient.
+ Data Minimization: Processing personal data is to be adequate, relevant and limited to what is necessary in relation to its purpose.
E.g.: A phone number cannot be collected for a purchase order when only the name and address (and possibly the bank account details) are relevant to process the order.
+ Purpose Limitations: Personal data can only be used for a specific processing purpose that the person has been made aware of; it cannot be used for any other purpose without further consent.
E.g.: The collected address for the purchase order shall only be used for the ordering process. It cannot be forwarded to third parties.
+ Integrity and Confidentiality: Personal data is to be processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organizational measures.
E.g.: Anyone who is working with personal employer or customer data must ensure that no unauthorized person has access to this data (i.e., via password protection).
+ Transparency: The person whose data is being collected needs to be informed about what kind of data processing is done.
E.g.: If a website owner collects data from the website visitor (in the background), the visitor is to be informed about this data process in the privacy statement.
4. What you need to do
If your company processes personal data of EU citizens, you need to ensure that you comply with the regulation of the GDPR. Also, you need to be able to disclose to authorities and persons concerned what type of data is being processed and for which purpose.
Some questions to ask yourself:
+ Where and when do we process personal data and do we have documentation of it?
+ Do we inform all persons concerned about processing their personal data?
+ Is our privacy statement up to date and does it disclose all information?
+ Is the personal data we collect relevant?
+ Is the data we collect protected and can we delete it upon request?
+ Do we have the people’s consent for processing personal data? (e.g., email marketing)
+ How do we protect people’s personal data when other partners are involved (both internally and externally, i.e., external service providers)? Is data protection included in these contracts?
The above questions are only rough guidance for you to gauge your compliance with the GDPR. On their website, the European Union has compiled more useful information, especially under their FAQ section.
As daunting as the implementation of stricter data-related policies and procedures may seem to some companies, the Facebook scandal has made it clear: the protection of personal data in our increasingly data-driven world is critical if the word “privacy” is to be more than an empty shell with no meaning.
If you have any questions or would like to discuss the above in more detail, please contact us.