Introduction to GDPR
The scope of the European Union’s new General Data Protection Regulation (GDPR) is far-reaching, and has turned lives upside down for many businesses that are sustained by collecting personal data from consumers.
Although implementing GDPR is complicated, we believe it represents a step in a positive direction for data protection. TrueVault has produced an e-book that reviews some of the fundamental components of GDPR with the aim of helping your business interpret and implement the law. This is the first in a series of blog posts that introduces some of the core principles of GDPR.
Background on GDPR
GDPR came into effect on May 25, 2018, and concerns the processing of personal data and the rights of data subjects over their personal data. Though GDPR is a European law, it applies to any organization or individual that has an EU presence or deals with the personal data of individuals residing in the EU, meaning that virtually all transnational companies are impacted.
Personal data encompasses any information that could reveal the identity of a particular individual. The legal definition is broad, and could include first and last name, address, contact information, online usernames etc. Under GDPR, an identifiable individual is referred to as a “data subject”. GDPR applies to organizations that collect personal data about data subjects. These organizations are referred to as “data controllers” or “data processors”.
Data controllers are organizations that determine the process and methods for collecting personal data.
Data processors are responsible for directly processing personal data, following the directions of the data controllers.
If your business keeps a membership list (e.g., a list of email subscribers for marketing purposes), or stores information about employees (e.g., has an office based in Europe), then it essentially functions as a data controller or processor and must comply with GDPR.
Compliance or bust
Businesses have two choices when it comes to data protection. They can comply with GDPR, or withdraw from doing business in Europe
We urge businesses to focus on compliance, because the law includes some best practices for security that will make companies safer. Also, because data protection regulation is the way of the future. There are many countries passing legislation that follows the spirit of GDPR, or are considering similar laws that gives data subjects more control over how their personal information is collected, stored, and managed by businesses.
GDPR violations carry steep financial penalties, as high as four percent of global annual turnover in severe cases. Facebook is the first high-profile data breach in a post-GDPR world. If enforcers find Facebook violated GDPR with its most recent breach, the company could be penalized with more than $1 billion in fines.
Key principles of GDPR
GDPR has a broad scope and introduces many new legal concepts that give data subjects more autonomy over how their personal information is processed. Some of the key principles of the law are summarized below, and will be expanded upon in future blogs.
The rights of data subjects
GDPR reaffirms the rights of data subjects over their personal information, and also introduces new rights for individuals to govern their personal data. Under GDPR, data subjects have the authority to access their personal data, receive a copy of their personal data, and request that their data be deleted. When possible, companies ought to provide data subjects with secure access to their data through a remote self-service system. There is more information about the numerous rights of data subjects in our ebook.
The law states that a data subject must provide clear and unambiguous consent for their data to be processed. Consent to data processing must be voluntary, and can be withdrawn at any time. Companies must disclose the purpose of collecting personal data (e.g., marketing, sales etc.), and data subjects have authority over how their data is processed.
Rules for data processing
There are six grounds for a company to process the personal data of an individual: consent; performance of a contract; legal obligation; vital interests; public interest or official authority; legitimate interests. If the data subject did not grant consent, then one of the other five rules must be met for data processing to be lawful.
For businesses, the most likely grounds for data processing will be consent or legitimate interests. Consent is a more complex rule than it appears, and businesses on the path to becoming GDPR compliant ought to analyze this rule in-depth. GDPR has strict rules as to the quality of consent necessary for compliant data processing. If the data subject does not grant consent for their personal data to be processed, the organization must prove it has a legitimate interest. Many businesses can meet the legitimate interest grounds for data processing, but only if the rights of the data subject do not override the legitimate interests of a business. This topic is explained in detail in our ebook, but the tension between business interests and the rights of a data subject will likely be decided in the courtroom.
Protection by design
Article 25 of GDPR states that companies must make security the guiding principle of data processing. It is expected then that businesses will design technical and organization-level checks to ensure that the personal data of the data subject is protected. Some steps a business can take include de-identifying personal data, and minimizing the amount of data collected.
GDPR is designed to minimize the risk of a data breach. Ideally, businesses that built a secure system that operates in compliance with GDPR will be able to prevent a data breach, or mitigate the impact of a data breach if one is to occur (e.g., by de-identifying personal data). If a data breach does occur, the data controller must report to the supervisory authority of GDPR within 72 hours of becoming aware of the data breach, and has a duty to notify the public of the breach. The obligation to reduce the harm of the data breach is not explicitly stated in the rule, but as our ebook notes, is implied throughout the Regulation.
Watch our blogs for the next installment in our GDPR series. Have more questions about GDPR in the meantime? Download our GDPR Guide for an in-depth overview of how the law impacts your business.