After four years of debate, the European Union passed the GDPR in April 2016. It became active on May 25, 2018, forever altering how organizations across the world will approach data processing. Here is a quick analysis of the impact of the new regulations.
Who does it affect?
Though the European Union only has jurisdiction to govern activity within its members, the reach of these regulations will extend globally. The regulation extends to any organization which processes data about EU citizens in the context of selling goods or services. Since all major companies sell to European citizens, and many smaller companies do, the GDPR will change how most business is done.
Furthermore, the GDPR applies to both data controllers and processors. This means the regulations apply to both the companies interacting with consumers and the cloud companies which store the information.
What does it change?
In addition to establishing jurisdiction as described above and permitting penalties as described below, the GDPR changes the status quo for two main categories: (1) individual data rights; and (2) organizational data processing and management.
Individual Data Rights
Permitted Data Processing:
One of the first things the GDPR does is limit the permissible circumstances for data processing individuals. If the consumer consents, then data processing is permitted. Otherwise, data processing is only allowable where it is necessary for a permitted purpose. These purposes are for performing a contract, for compliance with a legal obligation, for protecting the data subject (or another EU citizen), for the public interest or in the controller’s official authority, or for “legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
The first branch to increase individual rights is by requiring and defining consent to data access. Any organization processing information which could identify the user – such as names, ID numbers, or location data – must get consent from the user. In describing the consent, the organization cannot use complex legalese or overly long terms of service, which have become the norm. Instead, the organization must provide a “concise, transparent, intelligible and easily accessible form, using clear and plain language” explanation of how the data will be processed. The consent must be “unambiguous.” When sensitive personal information is involved, the organization must receive an explicit opt-in from the user. Additionally, parental consent is needed for children (defaulting at 16, but countries may alter the age to be no lower than 13).
Right to Copy of Data and Right to Erasure:
The other key change to individual rights is the access and control over the data. Under the GDPR, data subjects have a right to a free electronic reproduction of the data being processed about them. From there, the subject has the “Right to Be Forgotten” or right to data erasure. This right means, upon request, the controller would have to erase the data, stop any further dissemination of the data, and attempt to have any third parties with the data to destroy it.
There are times where a request will not be granted, however. When the data controller receives such a request, they must compare the subject’s privacy rights against the public interest in having the data available. For example, it is unlikely a prominent politician would be able to have their data deleted, as the public interest in the information would be too great. There must be no undue delay in making this decision. Ordinarily, the decision must be made within one month, but the timeframe can extend an additional two months if the circumstances are complex or if there are too many requests to process.
Organizational Data Processing and Management
The first major requirement sets the tone for the entire GDPR. Data processing systems must now be designed with data protection as a key priority, rather than the frequent practice of making data protection an add-on to the system. Data protection must now be at the forefront of organizations’ minds, and it cannot be an afterthought. In particular, the GDPR requires the following security measures to be employed by all data processors:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
In addition, GDPR requires certain organizations to have a Data Protection Officer (DPO) to ensure compliance. The organizations needing a DPO are: (1) public authorities; (2) organizations that engage in large scale systematic monitoring; (3) organizations that engage in large scale processing of sensitive personal data. In addition to the DPO, organizations are required to keep a number of internal records to demonstrate compliance.
How is it enforced?
The GDPR’s enforcement relies upon penalization for violations. At its highest penalty, a GDPR breaching organization can be fined up to 4% of annual global turnover or 20 million Euros (more than 23.3 million American dollars at current exchange rates). Penalties can use a tiered approach however, allowing for a 2% of annual global turnover for smaller violations like improper record keeping or failing to notify after breach.
Will the GDPR make the Internet safer?
It remains to be seen whether the GDPR will substantially advance its goal of making the internet safer. Though the penalties can amount to substantial fines, the amounts may not be enough to guarantee compliance. Companies are, however, taking the new regulations seriously and working to comply. By focusing on giving individuals rights to their own information and forcing companies to prioritize privacy, the EU has taken the biggest step to date. The next major data breach may be the first time to fully assess the impact the GDPR has had on Internet security.
By Ridgeway Woulfe (edited by Bill Adams)