Your Guide to the GDPR

Here’s what you need to know about the EU’s General Data Protection Regulation, which goes into effect 25 May 2018

Advertisement

The European Union (EU) initially introduced the General Data Protection Regulation (GDPR) in May 2016 to help people assert control over their personal data on the Internet. Fast-forward two years, and GDPR takes effect worldwide on 25 May 2018, sending a cold shiver down the spine of just about everyone who does business on the Internet. Some companies—especially ones based in the United States—fear that this new set of EU regulations will not only impact business but also present the risk of punitive fines.

Among the main concerns for companies in the business of gathering and selling people’s personal information is determining what exactly “personal data” is and how companies must change the way they handle it. Ordinary users (dubbed “data subjects” in the regulation) also have questions about their new or expanded rights. For instance, when a user clicks the “cookies notification” window, what does it mean? And how do users ensure that their data isn’t being collected and stored so it can be bought and sold repeatedly, ad infinitum?

Before we dive into the details, it’s helpful to understand how we got to the point where the EU is enforcing GDPR worldwide. The answer lies in the fundamental disconnect between the EU’s laws and regulations that recognize users’ fundamental rights to privacy, and the tendency in the United States and other countries to address privacy only to the extent that it doesn’t interfere with commercial interests.

EU law has a defined concept of personal data and a general law to protect it. Meanwhile, the United States and other nations don’t have a uniform definition of information privacy or personally identifiable information (PII), although these countries sometimes have laws to protect privacy in some areas such as financial, health, and education data.

The GDPR prohibits the transfer of data to countries that don’t have an adequate level of data protection and establishes a procedure for determining formally if a country provides that level of protection. And currently, the United States, Japan, and South Korea, among other countries, do not have what the EU considers to be an adequate level of data protection, nor do they provide the appropriate level of protection of guarantees for international transfers of data from Europe.

So while the GDPR applies to controllers of data based in the EU, it also extends to controllers and processors of data not based in the EU that handle data generated as a consequence of providing goods or services to citizens of the EU or as a result of a monitoring and follow-up of their behavior.

How Will Companies Change the Way They Handle Personal Data?

For this extension of the GDPR’s scope to be effective, organizations based outside of the EU will have to appoint a representative in the EU. This representative will act as a contact point for the EU’s supervisory authorities (called Data Protection Authorities, or DPAs) and EU citizens. If necessary, this representative can be tasked by the supervisory authorities to carry out prescribed actions.

DPAs are independent public authorities that supervise, through investigative and corrective powers, the application of the data protection law. They provide expert advice on data protection issues and handle complaints lodged against violations of the GDPR and the relevant national laws. There is one in each EU member state. Generally speaking, the main contact point for questions on data protection is the DPA in the EU member state where the company in question or its representative is based.

The main changes under GDPR that differ from the previous Directive 95/46/EC are:

  • Increased territorial scope
  • Penalties
  • Consent

The bulk of the changes have occurred in relation to data subject (user) rights:

  • Breach notification
  • Right to access
  • Right to be forgotten
  • Data portability
  • Privacy by design
  • Data protection officers

The GDPR does not apply to the processing of personal data of deceased persons or of legal entities. Also, the rules don’t apply to data processed by an individual for purely personal reasons or for activities carried out in one’s home, provided there’s no connection to a professional or commercial activity. Consequently, the regulation does not apply to social networking and online activity undertaken within the context of such activities. While any data that is not personal data is outside the regulation’s scope, these are pretty broad definitions made to future-proof the regulation so it can address the increasing ability to identify a person using less and less data, or to reconnect data that supposedly can no longer be linked to a natural person back to such person—a function that has become known as “re-identification.”

The GDPR was born into an existing regulatory environment, and some GDPR measures simply extend or in some cases supersede, current regulations. For instance, it’s already the case that companies can collect personal data on a legal basis only as defined in the GDPR’s Article 6, including consent; performance of a contract; compliance with a legal obligation to which the controller is subject; to protect the vital interests of the data subject or of another natural person, the public interest, or in the exercise of official authority vested in the controller; and processing for the purposes of the legitimate interests pursued by the controller or by a third party.

Companies and organizations must be prepared to comply with the rights of the personal-data subject, security measures, or the obligation of documentation and, to some extent, the impact assessment and consultation of supervisory authorities. Other measures constitute a legal formalization of practices already widespread in companies such as privacy by design and by default.

In all cases, the GDPR provides that the obligation of these measures, or the way in which they are implemented, will depend on factors such as the type of treatment—for instance, if sensitive data are processed, this may incur implementation costs or the risk that treatment introduces to the rights and freedoms of the data subject. (See Guidelines on Data Protection Impact Assessment.)

Therefore, all organizations must develop a data risk analysis to determine what measures should be applied and how. Given that the regulations go into effect next month, that data risk analysis should already be complete or fairly far along. DPAs are already working to develop tools to facilitate risk assessment and that make recommendations on the implementation of measures, particularly in relation to ones that carry out data processing operations more common in business management.

The question that bedevils many Internet companies revolves around who is ultimately liable for violations of users’ data rights. For example, if a website collects data on registrants and then passes on that collected data to a third party as part of a financial arrangement, who is responsible in that arrangement?

The GDPR says that both the website collecting the data (the controller) and the third party paying for that data are responsible. The controller is responsible for obtaining the consent of the registrant who provides data, also known as the data object. The data object needs to be informed of the purpose of collecting this data. If the company buying the data acts as another controller or processor of data, it becomes necessary to focus on the agreement between the controller and the processor. The purchaser of the data has to take responsibility according to the law and the contract.

There are a couple of additional obligations put on both data controllers and data processors in EU member states to ensure the protection of users’ data.

Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers—the controllers—“without undue delay” after first becoming aware of a data breach.

The one-stop-shop system is designed to ensure that those data controllers established in several member states have a single Data Protection Authority as a partner. Also, it implies that each DPA will assess whether an alleged violation has trans-boundary character, in which case we will have to open a cooperation procedure among all authorities concerned seeking a solution acceptable to all of them.

Glossary of Terms

Breach Notification

Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers—the controllers—“without undue delay” after first becoming aware of a data breach.

Consent

While there are six grounds for the lawfulness of information processing, one of the most prominent ways for establishing that lawfulness is the option of consent. The idea of explicit and clear consent is critical in the GDPR and is defined as a “freely given, specific, informed and explicit” indication of wishes, either by statement or by clear affirmative action. “Implicit consent” would not provide this clarity and would not put data subjects in full control of their data. 

The GDPR strengthens conditions for consent, and companies will no longer be able to use long, illegible terms. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.

Many of us are quite familiar with the “cookies” window that pops up whenever you open up a new web page. By clicking on the cookies window, users have given consent because they have been provided clear and comprehensive information on the use of these data-recovery and data-storage tools.

Processing of personal “sensitive data” shall be prohibited. However, an organization can process sensitive data if one of the conditions of Article 9 is met, such as the explicit consent of the individual was obtained (a law may rule out this option in certain cases); substantial public interest; public interest in the field of public health; or the data is processed for archiving, scientific, or historical research purposes or statistical purposes, etc., always on the basis of EU or national law.

Data Controller

The data controller determines the purposes for which the data is used and which personal data is processed.

Data Processor

The data processor processes the data on behalf of the data controller.

Data Protection Authorities

Data Protection Authorities (DPAs) are independent public authorities that supervise, through investigative and corrective powers, the application of the data protection law. There is one in each EU member state.

Currently, controllers are required to notify their data processing activities with local DPAs, which, for multinationals, can be a bureaucratic nightmare with most member states having different notification requirements. Under GDPR it will not be necessary to submit notifications or registrations to each local DPA of data processing activities. Instead, there will be internal record-keeping requirements (see “one-stop shop”).

Data Protection Officers

Appointment of Data Protection Officers (DPOs) will be mandatory only for those controllers and processors whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offenses.   

Importantly, the DPO:

  • Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
  • May be a staff member or an external service provider
  • Contact details must be provided to the relevant DPA
  • Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
  • Must report directly to the highest level of management
  • Must not carry out any other tasks that could result in a conflict of interest

Data Subject

A data subject is a person who can be directly or indirectly identified by a third party employing reasonably likely means.

One-Stop Shop

The one-stop-shop system is designed to ensure that those data controllers established in several member states have a single data protection authority as a partner. Also, it implies that each DPA will assess whether an alleged violation has trans-boundary character, in which case we will have to open a cooperation procedure among all authorities concerned seeking a solution acceptable to all of them.

Personal Data

Personal data [PDF] is any data related to a data subject. So, personal data is any information that relates to an identified or identifiable living individual. It is not applicable to dead people or legal entities.

Personal Data Processing

Keeping the same basis as Directive 95/46/EC, GDPR’s Article 6 establishes the legal basis for the lawfulness of personal data processing:

  • Consent
  • Performance of a contract
  • Compliance with a legal obligation to which the controller is subject
  • To protect the vital interests of the data subject or of another natural person
  • Public interest or in the exercise of official authority vested in the controller
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party

Of course, some personal data is considered “sensitive” and is subject to specific processing conditions, including:

  • Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs
  • Trade-union membership
  • Genetic data, biometric data processed solely to identify a human being
  • Health-related data
  • Data concerning a person’s sex life or sexual orientation

Despite these restrictions on what is considered sensitive material, the regulation offers consent as the one way for data subjects to control how data about them is processed.

Pseudonymization

The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

Re-identification

The re-identification issue in particular has been a source of confusion for Internet companies. That’s because data not linked to a name does not mean that it is not personal data (for example, anonymous data). Even removing items from data sets does not necessarily render such data anonymous. This has been witnessed in re-identification attacks that have targeted search engine records and other data sets. With technological progress, these attacks will become more and more sophisticated.

Despite this seemingly insurmountable problem of re-identification for Internet companies, the GDPR introduced a solution to overcome it: pseudonymization. However, the regulation is quick to note that personal data that has been de-identified, encrypted, or pseudonymized but is still being used to re-identify a person remains personal data and falls within the scope of the law.

User Rights Under GDPR

Users (or data subjects) have more rights to control their personal data under GDPR. The regulation introduces new elements, such as the right to be forgotten and the right to portability, which improve the capacity of decision and control of users on personal data they entrust to third parties.

The fundamental right to data protection recognizes in citizens the power to control their personal data and the ability to provide and decide on it. The GDPR strengthens the old rights laid down in Directive 95/46/EC, and provides new ones.

Existing, expanded rights:

Right of Information

The right of information pertains to the collection of personal data. Interested parties must be informed beforehand expressly, precisely, and unambiguously about the existence of a file and of the possibility to exercise their rights by the party responsible for the treatment of that information.

Right of Access

The right of access allows citizens to know and obtain free information on their personal data under treatment. This means that data subjects can obtain from the data controller confirmation as to whether or not personal data concerning them is being processed and where and for what purpose it is being processed. Further, the controller will provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.

Right to Rectification

Allows for the correction of errors and the modification of data that proves to be inaccurate or incomplete.

Right to Cancellation

Allows for the deletion of data that proves inadequate or excessive.

Right to Object (or, Right of Opposition)

Allows the affected data subjects to stop the treatment of their personal data and extends to their right to the information about the collection of their personal data. Interested parties must be informed beforehand expressly, precisely, and unambiguously about the existence of a file and of the possibility to exercise their rights by those responsible for the treatment.

The right to object gives the data subject the right to object on grounds relating to his or her particular situation. When that happens, GDPR art. 21(1) says: “The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.”  

New Rights:

Right to Be Forgotten

The right to be forgotten, also known as data erasure or right to oblivion, stems from a case involving a Spanish man who won a legal case against Google to force it to stop linking to a newspaper announcement of a government auction of his seized property.

As now established, the right to be forgotten entitles data subjects to have the data controller erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

It is the manifestation of the traditional rights of cancellation and opposition applied to Internet browsers. This right prevents the spread of personal information via the Internet when its publication does not meet the requirements of appropriateness and relevance under the rules.

The conditions for erasure, as outlined in Article 17, include the data no longer being relevant to the original purposes for processing, or a data subject’s withdrawal of consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.

This right to be forgotten can be exercised against the search engine without having to go to the original source because search engines and the original publishers have different principles on how they archive information, with different legitimacy and also with a different impact on the privacy of individuals. In other words, if a newspaper has the original story in its files, the data subject does not need to go to that newspaper to have the information erased but needs only to ask the online aggregator to have that story removed.

Data Portability

GDPR introduces the concept of data portability—the right for data subjects to receive the personal data concerning them, which they have previously provided in a “commonly used and machine readable format,” and the right to transmit that data to another controller.

Right to Restriction of Processing

According Article 18 of the GDPR, generally speaking, in cases where it’s unclear whether and when personal data will have to be deleted, you may exercise your right to restriction of processing. That right can be exercised when:

  • The accuracy of the data in question is contested
  • You don’t want the data to be erased
  • The data is no longer needed for the original purpose but may not be deleted yet because of legal grounds
  • The decision on your objection to processing is pending

About the Author

Rosa Maria Garcia Sanz is a professor of law at the Universidad Complutense in Madrid and author of the recently published book Digital Journalism: Rethinking Communications Law to Support Democracy and Viable Business Models published by Academica Press, Palo Alto, Calif.

Advertisement