Information Today, Inc. Corporate Site KMWorld CRM Media Streaming Media Faulkner Speech Technology Unisphere/DBTA
Other ITI Websites
American Library Directory Boardwalk Empire Database Trends and Applications DestinationCRM Faulkner Information Services Fulltext Sources Online InfoToday Europe KMWorld Literary Market Place Plexus Publishing Smart Customer Service Speech Technology Streaming Media Streaming Media Europe Streaming Media Producer Unisphere Research

News & Events > NewsBreaks
Back Index Forward
Twitter RSS Feed

Europe's GDPR to Set New Standards in Data Protection and Privacy Law
Posted On May 22, 2018
As Europe’s General Data Protection Regulation (GDPR) prepares to roll out on May 25, 2018, stakeholders are anxious to experience its revolutionary impact firsthand. With copious amounts literature already written on the GDPR, this article will focus on its overarching purpose and mission, common misconceptions, and the road to compliance. Please keep in mind that the following information is not intended as legal advice.

A Unification of Purpose

The European Union (EU) devised the GDPR to unify and synthesize data privacy law across Europe while additionally encompassing organizations positioned in an extended territorial scope. The information or data covered under the umbrella of “general data” is, in theory, less generalized, as it applies specifically to the processing of personal data. Essentially, this general data equates to all personally identifying information of individuals located within the EU.

For those from the U.S. reading the GDPR, you will note that the term “personal data” is widely used in the regulation. This term would be similar to “personally identifiable information” (PII).

To comply with the GDPR and personal data processing, your organization must have a system and protocol in place to manage data and data security. This system must be documented (with the ability to prove such documentation upon request).

Increased Rights for Your Data Subjects

At the forefront of importance are an organization’s data subjects. The GDPR expands and explicitly clarifies the rights of data subjects in Articles 12 to 23. They are as follows:

  1. The right to be informed (Articles 1314)
  2. The right of access (Article 15)
  3. The right to rectification (Article 16)
  4. The right to erasure, aka “the right to be forgotten” (Articles 17 and 19)
  5. The right to restrict processing (Articles 1819)
  6. The right to data portability (Articles 1920)
  7. The right to object (Article 21)
  8. Rights related to automated decision making and profiling (Article 22)
  9. Restrictions (Article 23)

Article 12 (“Transparent Information, Communication and Modalities for the Exercise of the Rights of the Data Subject”) and Article 23 (“Restrictions”) discuss the parameters surrounding the data subject’s rights under the GDPR. Your organization will need to ensure that your data subjects are aware of their rights.

In addition, should a data subject submit a request pertaining to his or her personal data, the turnaround time to provide requested information (at no cost) is 1 month. It would behoove organizations under the GDPR parameters to assess their procedures, roles, and responsibilities to ensure requests can be handled thoroughly and accurately in a timely manner.

Three GDPR Misconceptions

With the GDPR consisting of 99 Articles, 173 Recitals, and numerous Key Issues, it is necessary to address a few common misconceptions, with the aim of providing general (non-legal) clarity and guidance. The three misconceptions that follow assist in outlining the GDPR’s scope:

  • Misconception 1—The GDPR revolves around and applies only to the personal data of European citizens. Interestingly, the term “European citizens” is not found in the 99 GDPR Articles, but rather, the GDPR uses the term “natural person(s).” More aptly, the GDPR applies to the personal data of individuals and companies located within the EU. Geographic location is key here. If personal data is being processed in the EU or applies to individuals located within the EU, or if a company outside the EU is processing data of individuals geographically located within the EU, the GDPR applies and is enforced.
  • Misconception 2—This occurs when an organization believes that “consent” is the easiest, best, or only method to lawfully process personal data. In actuality, consent is simply one of six reasons for an organization to lawfully process personal data (see Article 6, “Lawfulness of Processing”; Article 7, “Conditions for Consent,” expands on the intricacies of consent). The other avenues for lawful processing are as follows:
  1. The data subject has a consent contract.
  2. Processing is necessary to comply with a legal obligation of the data controller.
  3. Processing is necessary to protect the vital interests of the data subject.
  4. Processing is important to perform a task in the public interest.
  5. Processing is necessary for the legitimate interests of the data controller, except when overridden by the interests of the data subject.
  • Misconception 3—If an organization claims “legitimate interest,” then direct marketing is automatically justifiable. In our modern age, most of us can think back on a case in which our personal data was used in some variety of direct marketing. The GDPR attempts to mitigate direct marketing concerns by allowing data subjects to object to the processing of their data for direct marketing purposes (Article 21, sections 2–3; Recital 70).

In short, an organization may try to claim legitimate interest as a reason for using direct marketing because it sees itself as taking a vested interest in its customers. However, the ability to substantiate the legitimate interest claim will remain to be seen.

The Crossroads of Compliance

As with any new or existing regulation, we must strive for absolute compliance. However, since the GDPR is so new, we may find ourselves at a crossroads, asking, Have I done enough to prove a good-faith effort if questioned by a supervisory authority (Article 51)? The largely subjective answer to this seemingly straightforward question tells us that each organization will be affected differently by this new regulation. It is the unique differences in scope and processing of personal data that define the lines of compliance.

Because the GDPR is brand new (although privacy laws and regulations are not), the rigors of compliance enforcement measures with it are largely unknown. However, the GDPR is clear about its intent to enforce “General Conditions for Imposing Administrative Fines” (Article 83). In worst-case scenarios, an administrative fine of €10 million to €20 million (about $12 million to $23.8 million) or 2% to 4% “of the total worldwide annual turnover of the preceding financial year, whichever is higher,” could be applied (Article 83, sections 4–5).

Putting Your Best Effort Forward

Remember, GDPR compliance is not a choice; it is a requirement. If your organization processes personal data and falls under the “when it applies” parameters, you simply must comply. As with most things, there are special cases, and documentation of a good-faith effort may go a fair distance—but we just do not know with what certainty.

Additionally, with the rigidity of enforcement being an unknown, and to ensure that data processing integrity and security are maintained, it would be prudent for an organization to keep thorough documentation and vigilantly monitor GDPR materials as they are released in the coming months.

Kelly LeBlanc is a knowledge management specialist at FireOak Strategies, where she specializes in OA, open data, data management, geographic information systems (GIS), and data/information governance issues. Prior to joining FireOak, LeBlanc was with the Digital Initiatives Unit at the University of Alberta, where she worked with GISs, metadata, spatial, and research data. She served in various municipal planning and development capacities working with GISs, municipal law, planning/zoning regulations, and resource management. LeBlanc holds an M.L.I.S. from the University of Alberta and a master of letters from the University of Glasgow.

Related Articles

5/8/2018Ex Libris Creates Trust Center for GDPR Prep (and Other Information)
5/15/2018Microsoft Trust Center Offers Resources on GDPR Compliance
5/17/2018EDM Council Studies Data Management and the GDPR
6/5/2018ARL Rolls Out Issue Brief on GDPR and Libraries
8/7/2018Archive360 to Host Webinar on California Privacy Act
9/18/2018Europe Votes in Favor of New Copyright Law
12/4/2018Six Months of the GDPR's Pioneering Data Protection and Privacy
1/24/2019A Win for the 'Right to Be Forgotten' for a Doctor in the Netherlands
2/5/2019'Trends to Watch 2019: GDPR Goes Global' by Logan Finucan
6/25/2019The First Anniversary of the GDPR: Reflections on the Past Year
10/1/2019diginomica Provides an Update on GDPR Compliance
8/11/2020GDPR 2020: Where Compliance Lands Now
9/15/2020TikTok's User Data Security Becomes a Political Issue
7/13/2021GDPR 2021: A Review and Roundup
11/29/2022Meta Runs Into Trouble From the GDPR

Comments Add A Comment

              Back to top