In part one of our introduction to GDPR, we look at the new EU regulation from the basics up and try to explain the background to the law, whom it applies to, and some of the things that you are lawfully obliged to implement. With the promise of expensive fines and stringent prosecution, this is something that will have a significant impact on business both inside and outside the EU. Let’s take a look at the background to GDPR and get a deeper picture of how it affects you.
What is GDPR?
GDPR is an acronym for General Data Protection Regulation. It is an EU regulation that will generate the biggest changes in data protection in the EU since 1995. GDPR was created to bring as much uniformity into data protection as possible. That’s a big change from the current situation. There is an existing EU 1995 Directive, which was implemented into national data protection laws. However, there can still be significant differences among states. Now that it is a regulation, it will be directly applicable. It also means that if someone wants to do business in Ireland, for instance, they can now be sure that a similar legal regime will exist in other member states too. This new regulation is better suited to the challenges our current digital world poses.
When Will GDPR Come Into Effect?
GDPR will come into effect on May 25, 2018, but the final text has already been available for more than a year. In all member states, there is a public authority that is responsible for dealing with GDPR issues from an administrative point of view and for imposing any fines arising from non-compliance. Although the regulation is more or less standardized throughout the EU region, there are some areas where member states still have the ability to create amendments to the rules. For instance, there is a rule under GDPR that states children under 16 must obtain the consent of a parent or guardian, but this can be modified to the age of 13. As GDPR states, “the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.”
How Will GDPR Be Implemented and How Can Companies Prove They Are Compliant?
It is the responsibility of the company to prove that it is compliant under the principle of accountability. This means, they must be able, at anytime, to prove they are GDPR compliant. But as there are several mechanisms that are not ready yet, GDPR wants different sectors to create codes of conduct that say if companies within that sector implement them, those should be enough to prove GDPR compliance. And when these codes of conduct have been approved, companies can implement them and say they are GDPR compliant. GDPR states, “The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises.”
Whom Does GDPR Apply to and Who Is Exempt?
According to GDPR, it is an EU regulation that “applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” (A controller is the person that determines the purposes and manner in which personal data is processed.) This confirms the establishment is a “broad” and “flexible” phrase not hinged on any legal form. An organization may be established regardless of the size of its operation in the EU.
It also applies to companies outside the region that monitor the behavior of people within the EU, and to non-EU companies that offer goods or services within the EU. So, having a CMS that can distinguish between visitors based within and outside the EU is of great benefit, meaning that, based on geolocation, they do not use analytics on those EU-based visitors without obtaining their consent stating they agree for the site to track their web behavior.
Important to note, one thing that GDPR states is you cannot refuse to provide a user access to your service if they do not consent with processing data collected that is not necessary for the business itself—for instance, if someone visits an e-commerce site to purchase something and the website says that they cannot complete the sales process if they don’t let them track their web behavior. When the only information the page is collecting is the information necessary to complete that purchase, such as name, surname, ID number, etc., it is not necessary to give consent as this is needed for the sales or service contract. But they cannot tell a customer that if they do not give their personal data for their Facebook remarketing, etc., that they are not allowed to buy anything. GDPR states, “when assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract."
How Much Restructuring Is Involved for Companies?
This depends on the type of data processing the company does, how important personal data use is to their core business, and what type of data it is— sensitive or standard—as there are much higher requirements for sensitive data. That’s why any restructuring based on GDPR should start with a GDPR compliance audit and a deep review that maps the processes with data. The review or audit should then detail what you need to do to implement any procedures or control mechanisms, for example, access rights to certain data.
Who Should Lead GDPR Implementation?
Many bigger companies have started the processes already and have internal compliance officers or external providers of this service. In small-to-medium-sized businesses, this should start with the top management, and they then need to delegate the responsibility.
If You Are a Digital Agency, What Should You Do for Your Clients, and What Is Their Own Responsibility?
Digital agencies, in most cases, are data processors, meaning, they need to take care of existing contracts with their clients because they include all the instructions for the things the agency can and cannot do with the data. So, they need to review these. As data processors, they will also have an obligation to report any breach of GDPR compliance. As GDPR states, this means the agency “processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest…”
For instance, if they learn that the data controller is doing something that is not 100% GDPR compliant, they should inform the data controller about it. And in doing this, they can really be helping their clients in cases such as when they know the client intends to do a certain type of email marketing but they obtained the contacts in a less-than-100% legal way. By informing them that this is against GDPR, they might save the client from incurring a fine. Moreover, they also have to notify the client about any personal data breach. As the GDPR states, “The processor shall notify the controller without undue delay after becoming aware of a personal data breach.”
Finally, the digital agencies will have to implement “appropriate technical and organizational measures” to protect their data and to prevent any type of data breach. These obligations fall on all data processors. As GDPR also states, “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
With the imminent introduction of GDPR, how far are you in implementing GDPR compliance within your company? Are you a digital agency? How have you communicated the need for GDPR to your clients? Let us know your comments as well as any other opinions you might have on the subject, we’d love to hear from you.
DISCLAIMER: All data and information provided in this blog post are for informational purposes only. Kentico makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. We recommend consulting with a lawyer for any legal advice pertaining to GDPR compliance.