This article provides an overview of GDPR, what is included in the regulation, who must comply, and the potential ramifications of non-compliance. We also share some best practices and resources to help your organization meet the myriad obligations in GDPR and, just as importantly, be able to demonstrate your organization’s compliance efforts and ongoing commitment to responsible data processing.
A Primer on GDPR and Data Privacy
When it comes to protecting data, many organizations focus on the three principles of data security: confidentiality, integrity, and availability, commonly referred to as CIA. Until recently, few organizations paid much attention to data privacy which considers how, when and why an entity collects, uses and shares information about people. The General Data Protection Regulation (GDPR) enacted by the European Union (EU) has been a leading driver in forcing companies to think about individuals’ legitimate privacy interests in their personal data and to put in place a stringent set of policies and procedures to ensure that personal data is processed fairly and transparently and that individuals (called “data subjects”) have a measure of control over the data that pertains to them. For many companies, GDPR compliance has been a grueling, resource-intensive and often confusing endeavor complicated by ambiguity within the regulation itself, a digital flood of misinformation posted online, inconsistent or incorrect advice from thousands of so-called “experts,” evolving guidance from EU regulators and courts, and different levels of risk tolerance from business partners and customers.
The far-reaching requirements set forth in GDPR address the categories of personal data companies may process, when a company may process such data, the detailed notices that must be provided to data subjects before collection, restrictions on sharing personal data with third parties and cross-border data transfers. GDPR also provides data subjects with a host of new rights to control their personal data including access, correction, deletion, and portability. Companies must ensure that their customers can exercise these rights. Data deletion, or the so-called “right to be forgotten” can be particularly challenging for companies and often conflicts with laws in other jurisdictions such as the First Amendment’s guarantee of free speech in the United States.
In order to process personal data, a company must have a lawful basis for processing. This is a very different approach from the United States, where using data is generally permitted unless explicitly prohibited by law. One lawful basis for processing is informed consent, a much higher standard than US law. Another lawful basis for processing is the “legitimate interest” of the business. It may sound straightforward, but understanding what activities constitute a “legitimate interest” under GDPR is anything but simple and remains the subject of extensive debate and discussion. Do not assume that a processing activity satisfies the “legitimate interest” standard just because it’s critical to your operations or because you read a blog post somewhere arguing that a given activity such as marketing does or should meet the standard.
Like it or not, GDPR has become a model for privacy regulation across the globe as more countries enact data protection legislation. The strict requirements in GDPR are now considered the “gold standard” by many policymakers seeking to implement equivalent levels of protection for their citizens. As of 2019, over 100 countries have some level of data protection and privacy laws in place. Most recently in August 2019 Bahrain rolled-out the Personal Data Protection Law, a new national law that prevents the misuse of people’s personal information and requires entities to obtain consent from customers in order to collect, process, store and use their personal information for commercial purposes. Notably, the United States does not have a federal privacy law, which is another reason global leaders are looking to the EU to set the standard.
What is GDPR?
The General Data Protection Regulation (Regulation (EU) 2016/679) is a comprehensive data protection law intended to protect the “fundamental rights and freedoms” of people, in particular, the fundamental right “to the protection of personal data.” For many in the US, this is an alien concept but it can’t be ignored or dismissed because this notion of privacy as a fundamental right informs how EU regulators interpret each provision of GDPR as well as how data protection authorities and courts will apply and enforce the law.
The law was enacted on April 27, 2016 after a multi-year drafting process and went into effect on May 25, 2018. GDPR replaced the European Data Protection Directive (DPD) (Directive 95/46/EC), the EU’s first privacy and data protection framework.
GDPR is intended to provide strong, consistent data protection for all individuals in the European Union (EU) .The legislation has three primary objectives:
- Ensure the ethical, responsible, lawful and transparent use of personal data by all entities in the digital age consistent with the EU’s fundamental right to privacy and data protection;
- Give control back to individuals in the EU over their personal data that is processed by organizations such as commercial entities, nonprofits and even government agencies; and
- Simplify the regulatory environment for business by harmonizing data privacy regulation within the EU.
How did GDPR come about?
The original data protection regulatory framework in the EU was enacted in 1995. The Data Protection Directive “directed” each EU member state to enact its own law ensuring the protection of individuals with regard to the processing of personal data and on the free movement of such data. This resulted in substantial differences in privacy laws across all the member states and produced burdensome and expensive bureaucratic requirements. Not only did this create significant compliance challenge for companies but it resulted in inconsistent protection for individuals’ data across the EU. In addition, the 95 Directive did not contemplate the rapid rise of new technologies such as artificial intelligence, machine learning, autonomous vehicles, smart cities, connected consumer devices and the Internet of Things.
In 2012 EU policymakers initiated a process to modernize the law for the digital revolution, promote the flow of data across the EU, protect the fundamental rights of EU residents and harmonize the rules for processing across the EU. A working group was established to hammer out the details, and in 2015, the European Parliament, the Council of the European Union and the European Commission reached an agreement on the GDPR. The regulation entered into force in May of 2016, replacing previous data protection laws in the EU. Enforcement of the law began in May of 2018.
Whether or not GDPR achieves the law’s stated goals remains to be seen, particularly the objective of harmonization. As discussed below, GDPR permits member states to implement different rules in many cases, undermining the goal of having a single, consistent legal framework.
Who is affected by GDPR?
There are several groups that are affected by this regulation.
- Data Subject – An individual within the European Union whose personal data is processed by a company or other entity.
- Data Controller – An organization that processes personal data about individuals in the EU and determines the purposes and means of the processing.
- Data Processor – An entity that processes personal data on behalf of and at the direction of a data controller. A data processor does not have the independent ability to process the personal data outside the scope of the contractual relationship with the controller. In the US we often refer to processors as service providers, contractors or vendors.
Determining whether an entity is a controller or processor is critical for assessing the application of GDPR or a particular processing activity. Unfortunately, it isn’t always obvious when an entity is operating as a controller or a processor. Moreover, under certain circumstances, entities can be joint controllers and share responsibility and liability for GDPR compliance. A deeper dive on controllers and data processors can be found here.
How does GDPR define personal data?
The definition of personal data under GDPR is very broad. Personal data is any information related to an identified or identifiable person. This definition captures any information related to an individual’s private, professional, or public life. Personal data includes name, address, phone number, a photo, email address, social media identifiers, posts on social networking sites, medical information, financial account information, race, religion, ethnicity, political party affiliation, and other categories of information. Importantly, unique identifiers such as an IP Address, cookie, unique mobile identifier, advertising ID or unique device identifier may be considered personal data. The definition is far more comprehensive than the narrower concept of personally identifiable information found in most state and federal privacy and data breach laws in the United States. The 2018 California Consumer Privacy Act (CCPA) which goes into effect on January 2020 however, includes a broad definition of personal information similar to GDPR. It includes any information that identifies or could reasonably be linked to or relate to, whether indirectly or directly, a particular consumer or household.
Who has to comply with GDPR?
The territorial scope of the GDPR is determined by Article 3 of the Regulation and represents a significant change in EU data protection law. It’s critical to understand that the requirements of GDPR apply to any company that processes personal data of EU residents, regardless of the location or the company. Thus, a company based in the United States that maintains a commercial website directed at EU residents must comply with GDPR even if the US company does not have any physical presence in the EU. Merely having a website that can be accessed from anywhere in the world is not sufficient to trigger compliance. Similarly, GDPR does not apply to a citizen of the EU who provides personal data while in the United States for a local transaction. Unfortunately, there is a tremendous amount of misinformation being published about GDPR so it’s important to consult with an expert or seek guidance before making decisions about compliance.
What are the key requirements of GDPR?
As this document is just an overview of the law, we recommend reading the actual regulation to understand the full scope of GDPR and its potential implications for your business. The table below highlights some of the key requirements of the regulation.
|Notice and Transparency||Data controllers must provide data subjects with notice about how their personal data is processed, including the specific purpose for the processing. The information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. A request for consent must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.|
|Rights To Access, Rectification And Erasure||Data subjects have a right of access to their personal data. This provides individuals with the right to obtain confirmation that a data controller is processing their personal data, a copy of their personal data, and other supplementary information about the context of processing. A data subject also has the right to correct inaccurate information or provide additional information if the data is incomplete. Perhaps one of the most challenging provisions in the law is the so-called “right to be forgotten” which provides data subjects with the right to have their personal data erased and no longer processed. This could include deletion of data from backup systems as well as live systems. Importantly, the right to erasure is not absolute and only applies in certain circumstances.|
|Right to Object to Processing||A data subject may object to processing for direct marketing purposes. In such circumstances, a data controller may not continue to process the data subject’s personal data for such purposes. A data subject may also object to processing for other reasons or purposes, requiring a data controller to respond and essentially conduct an analysis of the objection.|
|Data Portability||This right enables data subjects under certain conditions to receive a subset of their personal data from a controller in a structured, commonly used and machine-readable format and further provides that they must be able to transmit that data to another data controller.|
|Consent||One basis for the lawful processing of personal data is consent. Consent must be freely given, specific, informed and unambiguous and provided by a clear affirmative action signifying agreement to the processing of personal data. This is a very high bar. In addition, a controller must be able to demonstrate that a data subject provided consent and must provide an easy way for data subjects to revoke consent at any time.|
|Privacy by Design and by Default||When developing a new activity or process requiring personal data a controller is required to implement policies and measures to meet the goals and obligations of GDPR and safeguard individual rights. This means that a controller must integrate or “bake in” data protection into processing activities and business practices, from the design stage right through the lifecycle. Examples of relevant measures include data minimization, de-identification, anonymisation, pseudonymisation, data governance to support individual control, monitoring and other technical and procedural measures.|
|Third-Party Oversight (vendor management)||GDPR provides that controllers are responsible for appropriately selecting processors and sets out specific rules for allocating responsibility between the controller and processor. The controller must ensure that the processor does not process personal data except on instructions from the controller. Data controllers must also engage in due diligence when selecting processors and contractually require GDPR compliance, among other responsibilities.|
|Data Protection Impact Assessments||When processing operations are likely to create “high risk” a controller must conduct and document a data protection impact assessment to evaluate the severity of that risk and implement measures to mitigate risk and ensure compliance.|
|Data Protection Officers||It is mandatory for certain controllers and processors to designate a DPO. A commercial entity must appoint a DPO if, as a core activity, the entity monitors individuals systematically and on a large scale or processes special categories of personal data on a large. scale.|
|Data Security||Both controllers and processors must implement appropriate technical and other measures to ensure a level of network and information security appropriate to the level of risk created by a particular processing activity. Similar to US law, this generally refers to ensuring that a system can prevent compromises to the availability, authenticity, integrity, and confidentiality of stored or transmitted personal data.
Data security requires ongoing assessments of risks and measures to mitigate risk.
|Encryption||Encryption is not required by GDPR but is explicitly mentioned as one possible technical measure to secure data, reduce risk and safeguard the rights of individuals. That said, encryption is referenced several times in the Regulation and is generally considered a standard control in most data security programs today.|
|Data Breach Notification||As a general matter, a controller must notify the relevant supervisory authority of a data breach within 72 hours of discovery, unless the personal data breach is unlikely to result in risk. That is a fairly low threshold. With respect to notifying potentially impacted individuals, however, GDPR provides a higher standard – where the “personal data breach is likely to result in a high risk to …rights and freedoms.” There are detailed requirements for how and when to provide notice.|
|Documenting Processing Activities and Compliance||A controller must be able to demonstrate compliance with GDPR. Having the capacity to demonstrate compliance upon request and maintaining accurate records with respect to processing activities on an ongoing basis is referenced in numerous provisions.|
|Transfers of Personal Data out of EU||Similar to the Directive, GDPR allows for transfers of personal data from the EU to countries whose privacy regime provides an “adequate” level of protection as determined by the European Commission. The US has not been deemed adequate and thus transfer to the US must be conducted using other mechanisms such as standard contractual clauses, or binding corporate rules (BCRs), or voluntary compliance with the EU-US Privacy Shield program.
What are some good GDPR compliance resources?
Looking to learn more about GDPR compliance?
|The official text of the General Data Protection Regulation published on
Europa.eu, the official website of the European Union.
|European Commission Data Protection Page||https://ec.europa.eu/info/law/law-topic/data-protection_en|
|Website of the EuropeanData Protection Board (EDPB), the independent European body which is responsible for the consistent application of data protection rules throughout the European Union.||Website provides extensive guidance with respect to GDPR implementation, interpretation and compliance.|
|Guidance from The Data Protection Commission (DPC) of Ireland||https://www.dataprotection.ie/en/dpc-guidance|
|The GDPR Compliance Checklist||https://gdprchecklist.io/|
|GDPR Tracker: Track the GDPR compliance of +100 cloud services and subprocessors||https://gdprtracker.io/|
|Guide to the General Data Protection Regulation (GDPR) from the UK Information Commissioner’s Office||https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/|
|The International Association of Privacy Professionals (IAPP) GDPR Resource Page maintains a comprehensive set of resources related to GDPR for practitioners with different backgrounds and levels of expertise.||Examples of relevant GDPR resources available at IAPP.org (note that some resources may be restricted to IAPP members):
GDPR General Resource Page, which includes not only the text of the regulation and relevant official documents, but helpful guidance, analysis, white papers, and more.
The Top 10 Operational Impacts of the EU’s General Data Protection Regulation https://iapp.org/store/books/a191a000002FUYHAA4/
GDPR Genius – This interactive tool provides IAPP members ready access to GDPR resources — enforcement precedent, interpretive guidance, expert analysis and more — all in one location.