In January 2012, the European Commission set out plans for data protection reform across the European Union in order to make Europe ‘fit for the digital age’. Almost four years later, agreement was reached on what that involved and how it will be enforced. After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14th of April 2016 and enforcement date was 25th of May 2018. While many of the GDPR’s rules are similar those defined in the EU’s Data Protection Directive 1995 (which was enshrined in UK law as the Data Protection Act 1998), the former directive was created before the age of social media, and before the internet had properly transformed the way we work and live. A separate aim of GDPR is to make it easier and cheaper for companies to comply with data protection rules. The EU’s 1995 directive allowed member states to interpret the rules as they saw fit when they turned it into local legislation. The nature of GDPR as a regulation, and not a directive, means it applies directly without needing to be turned into law, creating fewer variations in interpretation between member states. The EU believes this will collectively save companies €2.3 billion a year. GDPR applies to any organisation operating within the EU, as well as any organisations outside of the EU which offer goods or services to customers or businesses in the EU.
If you control or process personal data relating to EU residents whether they’re customers or your own staff – you will have to do so in a way that complies with GDPR. Organisations don’t have to be based in the EU to be bound by GDPR. They only need to be processing or holding data on EU residents in order for GDPR to apply to them. Depending on your role in collecting or processing that data, the regulation will view you as either a data controller or a data processor. A data controller defines the terms (how and why) of data processing, but does not necessarily carry out these activities themselves. That means they might contract a third party to collect and process data – telling them how to do it, and stating what purpose they are doing it for. A data processor is the third party that performs the actual data collection and data processing. That means a controller could be any organisation, from a high street retailer to a global manufacturing giant to a charity, while a processor could be an IT services firm they employ. It’s the controller’s job to make sure the processor complies with data protection law, while processors must maintain records of their processing activities to prove they abide by rules. If a processor breaches GDPR, it must notify its controller immediately, and the controller will still be liable for financial penalties if their processor breaches the rules. The GDPR is the most contested law in the E.U.’s history, the product of years of intense negotiation and thousands of proposed amendments, despite its building blocks having been present in European law for decades. The first, ostensibly, is universality: a common set of rules and practices that apply across the Continent and, it is hoped, the world. The second is enforcement: the capacity for regulators to fine any company in breach of the GDPR as much as four per cent of its total worldwide sales. Both are headlines only, of course. The law leaves a good deal of wiggle room for implementation and interpretation; although the fines far exceed anything that data-protection authorities have wielded before, they are likely to be leveled sparingly.
GDPR affects every company, but the hardest hit will be those that hold and process large amounts of consumer data: technology firms, marketers, and the data brokers who connect them. Even complying with the basic requirements for data access and deletion presents a large burden for some companies, which may not previously have had tools for collating all the data they hold on an individual, but the largest impact will be on firms whose business models rely on acquiring and exploiting consumer data at scale. If companies rely on consent to process data, that consent now has to be explicit, informed and renewed if the use changes.
The world’s largest companies have updated their sites to comply with GDPR. Facebook launched a range of tools to “put people in more control over their privacy”, by unifying its privacy options and building an “access your information” tool to let users find, download and delete specific data on the site. The company also forced every user to agree to new terms of service, and took the opportunity to nudge them into opting in to facial recognition technology. Apple revealed a privacy dashboard of its own although the company proudly noted that, unlike its competitors, it does not collect much personal data in the first place and so did not need to change much to comply. Google took a different tack, quietly updating its products and privacy policies without drawing attention to the changes. The General Data Protection Regulation (GDPR) is expected to set a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to comply. Compliance will cause some concerns and new expectations of security teams. For example, the GDPR takes a wide view of what constitutes personal identification information. Companies will need the same level of protection for things like an individual’s IP address or cookie data as they do for name, address and Social Security number. The GDPR leaves much to interpretation. It says that companies must provide a “reasonable” level of protection for personal data, for example, but does not define what constitutes “reasonable.” This gives the GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance. Many of the requirements do not relate directly to information security, but the processes and system changes needed to comply could affect existing security systems and protocols. This new data protection regulation puts the consumer in the driver’s seat, and the task of complying with this regulation falls upon businesses and organizations. In short, the GDPR applies to all businesses and organizations established in the EU, regardless of whether the data processing takes place in the EU or not. Even non-EU established organizations will be subject to GDPR. If your business offers goods and/ or services to citizens in the EU, then it’s subject to GDPR. All organizations and companies that work with personal data should appoint a data protection officer or data controller who is in charge of GDPR compliance. There are tough penalties for those companies and organizations who don’t comply with GDPR fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater. Many people might think that the GDPR is just an IT issue, but that is the furthest from the truth. It has broad-sweeping implications for the whole company, including the way companies handle marketing and sales activities.
The conditions for obtaining consent are stricter under GDPR requirements as the individual must have the right to withdraw consent at any time and there is a presumption that consent will not be valid unless separate consents are obtained for different processing activities. This means you have to be able to prove that the individual agreed to a certain action, to receive a newsletter for instance. It is not allowed to assume or add a disclaimer, and providing an opt-out option is not enough. GDPR changes a lot of things for companies such as the way your sales teams prospect or the way that marketing activities are managed. Companies have had to review business processes, applications and forms to be compliant with double opt-in rules and email marketing best practices. In order to sign up for communications, prospects will have to fill out a form or tick a box and then confirm it was their actions in a further email. Organizations must prove that consent was given in a case where an individual objects to receiving the communication. This means that any data held, must have an audit trail that is time stamped and reporting information that details what the contact opted into and how. If you purchase marketing lists, you are still responsible for getting the proper consent information, even if a vendor or outsourced partner was responsible for gathering the data. In the B2B world, sales people meet potential customers at a trade show, they exchange business cards, and when they come back to the office, they add the contacts to the company’s mailing list. In 2018, this is not possible anymore.
The General Data Protection Regulation (GDPR) is the biggest change in data protection laws for 20 years. Coming from the European Parliament and the European Commission, it aims to give back control of personal data to individuals, and it will redress the power balance between individuals and the companies that handle their data. Its impact won’t just be felt in Europe however, as it may have wider implications for companies across the world that may be viewed as established in the EU, viewed as selling services to data subjects in the EU, or that monitor the activities of EU data subjects (if that activity occurs in the EU). Article 3 of the GDPR tries to answer this question in less than 150 words, which suggests that the answer should be straightforward. In fact, true to its evolutionary nature, the first ground for the territorial applicability of the GDPR essentially mirrors the language of its predecessor, the 1995 data protection directive. In that vein, the GDPR applies where the data processing activities take place in the context of the activities of an establishment of a controller or a processor in the EU. The only real difference is the reference to processors but otherwise, the GDPR is applicable as determined by the existing doctrine of the European Court of Justice, which in 2014 issued an influential ruling in this respect. According to this doctrine, the law will apply even if the processing itself takes place outside the EU, as long as there is an inextricable link between that processing and the local activities of an EU-based establishment, such as the promotion of the business or some other economic activity that contributes to that business. In other words, global organisations with a physical presence in the EU will almost always be subject to the GDPR.
The second ground for the applicability of the GDPR did not exist under the directive, but it is a fairly logical one. In those cases where a controller or processor does not have an EU-based establishment, the GDPR will still apply whenever the use of personal data relates to the offering of goods or services to individuals in the EU, irrespective of whether a payment is required. This has to do with a simple principle which is set out in Recital 23: people in the EU should not be deprived of the protection to which they are entitled to under the GDPR. Crucially, this ground for the applicability of the GDPR is not triggered by the mere accessibility of a website from the EU, but by a more active targeting of individuals in the EU. In the case of processors, this will probably be interpreted as capturing the provision of services to a customer controller which relate to that customer’s offering of goods or services to individuals in the EU.
The other ground under which those without an EU establishment will often be caught by the GDPR is more difficult to pin down. It relates to the monitoring of those individuals’ behaviour in the EU. Recital 24 of the GDPR clarifies that tracking individuals on the Internet to analyse or predict their personal preferences as many websites and apps do, will trigger the application of EU law. However, this measure makes almost every website in the world that drops tracking cookies or an app that retrieves usage information subject to the GDPR, which cannot be what the legislators intended. Common sense dictates that while under this ground the territorial applicability of the GDPR is universal, in practice the focus of regulators will be on those who use intrusive technologies from abroad to interfere with people’s privacy in the EU. Again, in the case of processors, the attention will likely be on those providing services which help customers track individuals in the EU. The GDPR has broad sweeping requirements that impact companies across the world. US Fortune 500 companies have put billions toward compliance and in some cases that has not been enough to avoid lawsuit filings while some smaller firms have closed operations or shut down entirely until they better understand the implications of these new regulations. The rising cost of doing business, stifling data-driven enterprises, and increasing the barriers to entry for entrepreneurship is the other side of the coin for these data-protection regulations.
To be sure, there are GDPR advocates. Many in fact feel this is the right step toward data transparency and a more efficient data economy in the long run. As with any policy, the answer always lies in the individual’s goals and preferences to evaluate its usefulness. Like it or hate it, GDPR is here to stay and businesses would do well to plan and build security into their architecture from the ground up, creating easy one-click solutions to GDPR’s legal requirements.
Published in Mélange intl. Magazine in August 2018.