The Nuts and Bolts of the General Data Protection Regulation

By now, many of you may or may not be aware of a new European law pertaining to data protection. This law is commonly known as the General Data Protection Regulation or GDPR and it replaces the 1995 EU Data Privacy Directive.
 
My goal here is to ensure everyone is aware of this new law so you can determine how it may affect you. In a future article, I will let you know what the IBA is doing to comply. In the meantime, here is a summary of my understanding of the new law.
 
What is GDPR?
 
The new GDPR is the biggest shake-up in privacy legislation and data management approaches for many years.
 
GDPR, as noted in Article 1 of the regulation's text, "lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data." In basic terms, GDPR is a regulation by the European Commission that is intended to strengthen and unify data protection standards for all EU citizens.  Any business that provides services or goods to EU residents is by definition processing EU citizens' data and therefore will have to comply. In addition, GDPR encompasses personally identifiable data within social media, photos, email addresses and IP addresses. The Regulation also contains a requirement to only process the personal data required for specific tasks.
 
Another aspect to the law is increased vigilance against data breaches. The requirement to notify people who are affected by a data breach "without undue delay" is somewhat vaguely worded. What constitutes an "undue" delay might vary from one case to the next. Because of this, it's important to be able to identify data breach events as quickly as possible so the process of containing, eliminating, and studying the breach to know whose data was affected can be executed soon enough to prevent accusations of delaying notice. Once the compromised records have been verified, specific notices should be sent out as soon as possible.
 
When does GDPR come into effect?
 
The effective date for the rule is May 25, 2018.
 
Who is affected by GDPR?
 
GDPR applies to ALL corporate entities that handle or process the data of any European Union citizens-- even if the corporation and the data are outside of the EU. This applies even to "small" size businesses and nonprofits.  If a company handles the personal data of any EU citizen at any point in time, or could handle the data of an EU citizen in the future, then this regulation will affect them regardless of their company's geographical location. In other words, not matter where you are, if you collect any data for EU nationals, you are affected.
 
What are the consequences for non-compliance?
 
One of the most obvious consequences of failing to comply with the rule is that there are hefty potential fines involved. The severity of the fine will vary depending on the nature of the infraction, but fines equaling either 2% or 4% of your business's global annual revenue for the previous year are within the prescribed penalties.
 
Breaches will apply to firms that do not have adequate customer consent for processing their personal data or violate the principle of the privacy-by-design concepts and model.
 
Is data collected before GDPR affected?
 
Generally speaking, a law cannot be made retroactive. In the United States, for example, there is a constitutional prohibition against "ex post facto" laws, meaning laws that apply to acts that occurred before the law became effective. To my knowledge, the EU does not allow retroactive application of laws passed after the fact. Therefore, generally speaking, GDPR does not apply to data that was collected before GDPR's effective date.
 
However, there are some aspects of GDPR that, while forward looking, apply broadly to all data that you may have under your control because some sections are event specific, and are applicable to all businesses that retain data. An analogy would be this: A country may pass an omnibus vehicle safety law which includes a regulation about vehicle emissions, saying that cars manufactured after a certain year – say 1999 – have to meet a strict emissions standard. In that same law there may be a section that sets a new speed limit. All vehicles will have to adhere to that new speed limit, not just those manufactured after 1999.
 
GDPR contains a requirement that if personal data in your possession is breached, you are required to notify a supervisory authority of that breach within 72 hours of having become aware of the breach. This is (for some) a new standard, and it applies to all personal data in your possession.
 
The other main area where GDPR is agnostic in terms of when the data was collected has to do with the responsibilities and liabilities as between data controllers and data processors. By way of example, when someone comes to your website and gives you their email address, you are a data controller. When you pass that email address to an email marketing service provider, for example MailChimp or Constant Contact, so that they can send out your newsletter, they are a data processor. It's possible (even common) for an organization to be both a data controller and a data processor. GDPR lays out the responsibilities and liabilities of both data controllers and data processors. Among other things, a data processor has the responsibility to be GDPR compliant in terms of how they handle the data that data controllers entrust to them. They also have to make clear to the data controller that they are GDPR compliant, and also make clear to the data controller how they can check on this to ensure that the data processor is GDPR compliant. This does not depend on whether the data controller is passing pre- or post-GDPR acquired data.
 
Rights of the "Data Subject"
 
The "data subject" is the person whose data is being processed. Under the rules of GDPR, data subjects have a number of rights as defined in Chapter 3 of the Regulation, including:

• Transparent information regarding the communication and modalities of the exercise of the data subject's rights, i.e. businesses have to clearly communicate the rights of the person whose data is being processed.
• Notifications of when data is and is not being collected.
• The right of erasure. Data subjects can opt out and choose to be "forgotten" by businesses.
• The right to data portability. Basically, the data subject should be able to freely access any data that your business stores about them.
• The right to object. A person should be able to object to the processing of their personal data. In which case, your business will have to cease and desist in processing the data "unless the controller demonstrates compelling legitimate ground for the procession which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims."

Technology Neutrality
 
The gist of this requirement is that the protections of GDPR apply whether you're handling data automatically or manually.
 
Household Activities Exemption
 
While the Regulation applies to even "micro-sized" businesses, it does not apply to "a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity," according to the text of recital 18. While businesses are required to protect data under the Regulation, a private citizen sending an email or sending out a tweet isn't covered under the regulation. Yet, the "controllers or processors which provide the means for processing personal data for such personal or household activities" are still expected to follow GDPR rules.

Regards,
Paul Clayson
Chief Operating Officer