With the General Data Protection Regulation (GDPR) set to go into effect on May 25th, 2018, we wanted to run through some highlights for those who haven’t already spent many months knee-deep in research and preparation.
So what is GDPR? In a nutshell, GDPR is an effort to standardize data protection regulations across all EU member states. One of the chief goals is to ease compliance by establishing a single rule of law, which is definitely preferable to having 28 different sets of regulations. The main focus is to protect citizens’ personal data, and to do so; the GDPR focuses on aspects of data security, transparency, accountability, and user consent.
A key principle underlying the regulation is the assumption that the consumer (“data subject”) owns and should have full control over their personal data. Any entity collecting, storing, or processing this data may do so only with the consent of the data subject. It is no longer sufficient to simply provide an “opt-out” option. The days of simply placing text like “by using this site, you agree…” in a website’s terms of service are ending. To achieve GDPR compliance, the data subject must grant consent by making “a statement or by a clear affirmative action.”
When requesting consent, the purpose(s) for the data collection and processing must be clearly communicated. Personal data should only be collected for “specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.”
The first thing you need to determine is whether or not your organization is considered “in-scope” with regards to the GDPR. Article 3 and Recital 23 of the GDPR provide guidance on this question. Like many aspects of the GDPR, these provisions are the subject of considerable debate. Only your organization, with legal counsel, can decide whether this applies to your business. The most important thing to understand is that you are not automatically exempt because of your business’s physical location.
Even if your legal team has determined that no immediate action is required for your organization to comply with GDPR, it would be prudent to take this opportunity to get your data collection and processing in order. It’s safe to assume that the future will bring similar regulations in other jurisdictions and that these regulations will resemble GDPR. Completing some prep work now will put you in a better position to handle compliance moving forward.
We’ve covered just some of the large aspects of GDPR. Here are some other things GDPR does:
- Allows data subjects to request any personal data that has been collected about them
- Allows data subjects to withdraw their consent, thus requiring deletion of their personal data
- Requires that data breaches be reported to a supervisory authority
- Requires the establishment of the Data Protection Officer within certain organizations
- Prohibits making decisions about the data subject “based solely on automated processing, including profiling” without explicit consent to do so
- Prohibits making a service conditional upon consent, unless the processing is necessary for providing your service.
The Digital Essentials, Part 3
Developing a robust digital strategy is both a challenge and an opportunity. Part 3 of the Digital Essentials guide series explores five of the essential technology-driven experiences customers expect, which you may be missing or not fully utilizing.
Regardless of your immediate next steps, we recommend thinking about and discussing the following with your legal team as you evolve your digital services in the future:
- For all data being collected by your organization, understand:
- With whom it is being shared, and why?
- How it is being processed, and why?
- How it is being stored, and why?
Thinking about and understanding the answers to these questions will aid in preparation around future data protection regulation needs.
Disclaimer: The content above is provided for informational purposes only. The information shared here is not meant to serve as legal advice. You should work closely with legal and other professional counsel to determine exactly how the GDPR may or may not apply to you. There are still several aspects and definitions within the regulations that are open to interpretation. For this reason, it is crucial that your organization evaluate your data programs as appropriate.