The EU Regulation 2016/679, commonly known as the General Data Protection Regulation (GDPR), is a regulation that seeks to protect an individual’s privacy and ability to control their own data.
GDPR is very complex and affects many aspects of how companies collect, use, and maintain personal data. Part of the problem for many companies is that they have come to rely on certain policies that “assume” consent for the collection of people’s personal data, but GDPR is changing all this.
Moving forward, any data that directly or indirectly identifies a “data subject” who is in the European Union (EU) will be subject to the provisions of this new legislation, regardless if the data controller or processor is based in the EU. GDPR defines a data subject as an “identifiable natural person.”
Who Does It Apply To?
Basically: everyone. Any company that has customers, employees, or website visitors located in European Union (EU) countries will need to comply with this regulation. According to Article 3.2 on Territorial scope, “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union ”
This could mean small changes or a complete overhaul of how companies handle data, depending on how much data a company processes about people in the EU.
What Do You Need to Know?
This regulation requires all businesses to make at least a few tweaks to their data processing operations, if not major adjustments. Here are a few key changes to keep in mind:
Using pre-ticked boxes in opt-in forms or vague and convoluted language about how data will be used is no longer allowed under the new regulation. In fact, the regulation requires that consent is “freely given, specific, informed and unambiguous” when a business is using any personal data extracted from users.
For example, an opt-in form for a weekly newsletter will be required to state specifically, and in clear language, what the customer or reader is agreeing to with respect to the use of their data. In addition, companies will now be required to maintain records of such consent for each individual as well. Furthermore, consent can be removed by a user at any time, and companies must provide a simple process for doing this.
Expansion of Private Information
In the US, private information has a relatively limited definition. However, under GDPR this definition gets widely expanded.
In fact, anything that could be used to directly or indirectly identify an individual person will be considered private data and subject to the regulation. Even if the information itself (like an occupation) would not normally identify someone, it can become personal information when stored with other identifying factors (like a company name). This expanded definition means that companies will have to seriously redefine what they consider private information.
Article 4.1 of GDPR, which offers definitions on provisions of the regulation, states that:
“...'personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
As IT Governance puts it, “…in certain circumstances, someone’s IP address, hair colour, job or political opinions could be considered personal data.” Because those circumstances are not clearly defined, companies must be prepared to handle most data in accordance with the new rules.
Companies that require users to provide “sensitive personal data” will have further restrictions on how such information is collected and stored. This could include medical histories or national identification data, such as a passport number.
Handling, Protecting, and Removing Data
This is where the legislation of GDPR gets really complicated. After gaining consent and defining what is considered private information, a business must make sure that it is handling the data that was collected correctly.
GDPR requires something called “pseudonymisation” as well as encryption to be used when storing data. Pseudonymisation essentially means switching certain data points with fake entries to mask an identity, while encryption changes the information to be unrecognizable without the right access.
Once the data is stored correctly, companies must ensure that they can remove it “without undue delay” when asked by the data subject. Unless the information is legally required for some reason, a customer can ask to have their information removed at any time. This could be more complicated than simply deleting an account because information on that customer may be stored in multiple places.
Moreover, companies will need to provide EU citizens with an easy process for requesting copies of what data has been collected about them. Should any user in the EU make such a request, the company will need to provide it in a timely manner.
If for any reason stored information is compromised or breached, companies have 72 hours from the time the breach is discovered to notify anyone that might have been affected. Failure to do so can lead to costly fines and other consequences.
Other Key Details
• Companies that process a “large scale” of personal data of subjects (Article 37.1) are required to designate a data protection officer who will be responsible for overseeing compliance with the law. This specifically includes companies that collect data as a public authority, companies that require regular and systematic data processing on a large scale, and companies that handle large amounts of sensitive data.
• Establishing counterparty liability is also an important consideration for many businesses. In particular, companies who exchange data with other organizations need to be aware of those business’s respective compliance policies to ensure they aren’t held liable due to their interactions with other entities.
• Data protection officers, whether or not they are an employee of the controller, should be in a position to perform their duties and tasks in an independent manner.
• Potential fines associated with GDPR non-compliance could cost €20 million or up to 4% of a company’s revenues, depending on which is greater and based on the severity of the violation(s). Fines are assessed by the Lead Supervisory Authority which can change based on which EU member states citizens are affected.
• Due to the desire for uniformity, many international businesses are applying some form of the new rules and processes in every country. Therefore, this could change how companies interact with both customers and each other around the world, not just in Europe.
Despite being a very complex regulation, this article should at least provide a brief overview of some of the main requirements that businesses need to be aware of over the coming months. However, any company that has concerns about compliance should consult a lawyer that specializes in this area. Additional basic information about the regulation and how to comply with it is also available from multiple sources online, including the following:
What Is NS8 Doing to Prepare?
Along with many other companies, NS8 is readily preparing for all of these upcoming changes. We have established a data protection officer and are in the process of making sure all of our products comply with the standards set forth in GDPR for how data is collected, held, used, and deleted.
Many of the eCommerce platforms that partner with NS8 are making preparations of their own for the new rules. Below are a few resources on our partner sites with more information: