As Europe’s General Data Protection Regulation (GDPR) prepares to roll out on May 25, 2018, stakeholders are anxious to experience its revolutionary impact firsthand. With copious amounts literature already written on the GDPR, this article will focus on its overarching purpose and mission, common misconceptions, and the road to compliance. Please keep in mind that the following information is not intended as legal advice.
A Unification of Purpose
The European Union (EU) devised the GDPR to unify and synthesize data privacy law across Europe while additionally encompassing organizations positioned in an extended territorial scope. The information or data covered under the umbrella of “general data” is, in theory, less generalized, as it applies specifically to the processing of personal data. Essentially, this general data equates to all personally identifying information of individuals located within the EU.
For those from the U.S. reading the GDPR, you will note that the term “personal data” is widely used in the regulation. This term would be similar to “personally identifiable information” (PII).
To comply with the GDPR and personal data processing, your organization must have a system and protocol in place to manage data and data security. This system must be documented (with the ability to prove such documentation upon request).
Increased Rights for Your Data Subjects
At the forefront of importance are an organization’s data subjects. The GDPR expands and explicitly clarifies the rights of data subjects in Articles 12 to 23. They are as follows:
- The right to be informed (Articles 13–14)
- The right of access (Article 15)
- The right to rectification (Article 16)
- The right to erasure, aka “the right to be forgotten” (Articles 17 and 19)
- The right to restrict processing (Articles 18–19)
- The right to data portability (Articles 19–20)
- The right to object (Article 21)
- Rights related to automated decision making and profiling (Article 22)
- Restrictions (Article 23)
Article 12 (“Transparent Information, Communication and Modalities for the Exercise of the Rights of the Data Subject”) and Article 23 (“Restrictions”) discuss the parameters surrounding the data subject’s rights under the GDPR. Your organization will need to ensure that your data subjects are aware of their rights.
In addition, should a data subject submit a request pertaining to his or her personal data, the turnaround time to provide requested information (at no cost) is 1 month. It would behoove organizations under the GDPR parameters to assess their procedures, roles, and responsibilities to ensure requests can be handled thoroughly and accurately in a timely manner.
Three GDPR Misconceptions
With the GDPR consisting of 99 Articles, 173 Recitals, and numerous Key Issues, it is necessary to address a few common misconceptions, with the aim of providing general (non-legal) clarity and guidance. The three misconceptions that follow assist in outlining the GDPR’s scope:
- Misconception 1—The GDPR revolves around and applies only to the personal data of European citizens. Interestingly, the term “European citizens” is not found in the 99 GDPR Articles, but rather, the GDPR uses the term “natural person(s).” More aptly, the GDPR applies to the personal data of individuals and companies located within the EU. Geographic location is key here. If personal data is being processed in the EU or applies to individuals located within the EU, or if a company outside the EU is processing data of individuals geographically located within the EU, the GDPR applies and is enforced.
- Misconception 2—This occurs when an organization believes that “consent” is the easiest, best, or only method to lawfully process personal data. In actuality, consent is simply one of six reasons for an organization to lawfully process personal data (see Article 6, “Lawfulness of Processing”; Article 7, “Conditions for Consent,” expands on the intricacies of consent). The other avenues for lawful processing are as follows:
- The data subject has a consent contract.
- Processing is necessary to comply with a legal obligation of the data controller.
- Processing is necessary to protect the vital interests of the data subject.
- Processing is important to perform a task in the public interest.
- Processing is necessary for the legitimate interests of the data controller, except when overridden by the interests of the data subject.
- Misconception 3—If an organization claims “legitimate interest,” then direct marketing is automatically justifiable. In our modern age, most of us can think back on a case in which our personal data was used in some variety of direct marketing. The GDPR attempts to mitigate direct marketing concerns by allowing data subjects to object to the processing of their data for direct marketing purposes (Article 21, sections 2–3; Recital 70).
In short, an organization may try to claim legitimate interest as a reason for using direct marketing because it sees itself as taking a vested interest in its customers. However, the ability to substantiate the legitimate interest claim will remain to be seen.
The Crossroads of Compliance
As with any new or existing regulation, we must strive for absolute compliance. However, since the GDPR is so new, we may find ourselves at a crossroads, asking, Have I done enough to prove a good-faith effort if questioned by a supervisory authority (Article 51)? The largely subjective answer to this seemingly straightforward question tells us that each organization will be affected differently by this new regulation. It is the unique differences in scope and processing of personal data that define the lines of compliance.
Because the GDPR is brand new (although privacy laws and regulations are not), the rigors of compliance enforcement measures with it are largely unknown. However, the GDPR is clear about its intent to enforce “General Conditions for Imposing Administrative Fines” (Article 83). In worst-case scenarios, an administrative fine of €10 million to €20 million (about $12 million to $23.8 million) or 2% to 4% “of the total worldwide annual turnover of the preceding financial year, whichever is higher,” could be applied (Article 83, sections 4–5).
Putting Your Best Effort Forward
Remember, GDPR compliance is not a choice; it is a requirement. If your organization processes personal data and falls under the “when it applies” parameters, you simply must comply. As with most things, there are special cases, and documentation of a good-faith effort may go a fair distance—but we just do not know with what certainty.
Additionally, with the rigidity of enforcement being an unknown, and to ensure that data processing integrity and security are maintained, it would be prudent for an organization to keep thorough documentation and vigilantly monitor GDPR materials as they are released in the coming months.