Overview

Europeans and the European government are taking data privacy very seriously. In fact, some are saying the EU’s new law – General Data Protection Regulation (GDPR) – is the most important change in data privacy regulation in the last 20 years. GDPR was approved and adopted by EU Parliament in April 2016. In May 2018, the two-year transition period for GDPR expires and the new data privacy law goes into effect and will be fully enforceable across the European Union.

GDPR replaces Data Protection Directive 95/46/EC, passed in October 1995, with a goal of creating uniform, enforceable data privacy laws in Europe, so that all citizens in the EU will have their personal data protected in a consistent way in all member states.

Another goal of GDPR is to reframe how companies look at the protection of personal data, so it becomes a primary concern rather than a secondary one. Ideally, this will help prevent data breaches in a data-driven world where such breaches are occurring with increased frequency. This extension of jurisdiction removes any previous ambiguity.

According to GDPR, personal data is defined as any information related to a natural person, also called a data subject, that can be used directly or indirectly to identify that individual. It can be a name, photo, email address, bank information, social networking posts, health data, computer IP address, health information, genetic data, sexual orientation, etc. GDPR requires that the processing of such personal data be lawful and fair, and how that data is collected, used, consulted or otherwise processed should be transparent.The personal data of deceased data subjects is not covered by GDPR.

Any company collecting or processing personal data from European citizens, including subscription companies, will be affected, by GDPR, regardless of where the company is located. Data processors and data controllers will both be impacted. A data controller is a company that determines the reasons, conditions and means of processing personal data. A data processor is a company that processes personal data on behalf of a data controller.

One item that is not clear is how Brexit will impact GDPR. If/when the UK exits the European Union, it will choose whether or not to implement GDPR or an equivalent regulation. According to a post by Lexology in June 2016, the UK “is and remains committed to data protection compliance.”

Ideally, subscription companies will have already assessed their data collection and processing systems and have started to make changes. Those who haven’t should start preparing now to comply with the laws and to avoid fines as large as €20 million for violation of the data privacy changes. Here’s what you need to know.

Preparing Europe for the Digital Age

When the European Commission proposed its EU Data Protection Reform in January 2012, the goal was to “make Europe fit for the digital age.” The proposed regulations were designed to provide fundamental data protection rights for citizens, giving them easier access to their own data, the right to transfer data between service providers, the right to be forgotten, and the right to be notified promptly when their data had been hacked.

The rules were also meant to provide clear, more modern regulations for businesses in the digital economy, with the following concepts:

• One continent, one law: One simple set of rules that apply to all member states
• One-stop-shop: One regulatory authority, estimated to save €2.3 billion per year
• European rules on European soil: Applies to all companies doing business with European citizens, regardless of location
• Risk-based approach: Data protection rules are tailored to respective risks
• Data protection by design: Regulation guarantees that data protection safeguards are built into products and services at the outset. Privacy-friendly techniques are encouraged.

How GDPR Differs from Previous Regulations

Expanded Jurisdiction

According to EUGDPR.org, one of the biggest changes from previous privacy protections is the expanded jurisdiction of GDPR. With the new regulation, all companies that offer products and services to and that process personal data of EU citizens must comply, regardless of where the companies themselves are located. For example, if an American subscription company has subscribers in the EU, the rules apply to that company, even though the company is based in the United States.

In addition, GDPR states that the regulation applies to both data controllers and processors, so “clouds” are not exempt from the law. The law also applies even if no payment is required for goods and services, so GDPR applies to subscription companies that utilize a freemium model, free-registered-users-model, and similar models where products and services are free to subscribers and members.

Stronger Conditions for Data Subject Consent

The conditions for consent are stronger than in the past. In Article 32, GDPR says that data consent should be given by data subjects in a “clear, affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data.” This could be through written statement, oral statement or electronic means.

This type of consent could be obtained by ticking a box when visiting a website, choosing technical settings for services, or another statement or conduct which clearly indicates the data subject’s acceptance of the processing of their data. “Silence, pre-ticked boxes or inactivity” cannot be construed as consent. (Recital 32)

Using clear, plain language, data controllers must identify themselves and obtain consent in “an intelligible and easily accessible form” with an explanation attached outlining the reason for data collection and processing. Consent must be “clear and distinguishable” from other matters, and it must be as easy to withdraw consent as it is to give it.

Because children may be less aware of risks, children receive specific protection for their personal data. Parental consent will be required before companies can process the personal data of children under the age of 16 for online services. Member states within the EU can regulate at a lower age, but not below the age of 13.

Steeper Penalties for Violations

The penalties for GDPR can be steep. A company that violates the law can be fined up to a maximum of 4 percent of annual global turnover, or €20 million, whichever is greater. EUGDPR.org points out that this level of fine will apply to serious violations such as failure to get customer consent to process data or for violating the core of Privacy by Design concepts. According to The Privacy Advisor, the higher level of fines apply to violations of:

• Basic principles for processing data, including data subject consent
• Data subjects’ rights
• Data transfer provisions
• “Obligations to Member State laws including the right to freedom of expression and information, collection and use of national identification numbers, employment processing, secrecy obligations, and data protection rules for churches and religious associations.”
• “Non-compliance with an order or a temporary or definitive limitation on processing or suspension of data flows by a supervisory authority.”

Because GDPR uses a two-tiered approach to penalties, less serious violations, such as not having records in order, failure to designate a DPO, or failing to notify a supervisory authority (Article 33) or data subject of a personal data breach (Article 34), may be subject to lesser fines. The lower tier threshold is 2 percent of a company’s annual global turnover, or €10 million, whichever is greater.

Rights of Data Subjects

The GDPR addresses the rights of data subjects in detail. They include:

Data breach notification: In member states, breach notification is mandatory when a data breach occurs and is likely to “result in a risk for the rights and freedoms of individuals.” A data breach is defined as a breach of security leading to the accidental and unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed,” according to The Privacy Advisor. Notification must occur within 72 hours of first learning of the breach. Data processors must notify customers and data controllers “without undue delay” after first learning a breach has occurred.

Right to access: Data subjects have the right to obtain from the data controller confirmation as to whether or not their personal data is being processed, where and for what purpose. Data controllers shall provide a copy of the personal data in an electronic format, free of charge. EUGDPR.org calls this “a dramatic shift to data transparency and empowerment of data subjects.”

Right to be forgotten: Article 17 addresses Data Erasure that says data subjects have the right to be forgotten by having the data controller erase the subject’s personal data, cease further distribution of the data, and potentially require third parties to also stop processing data. This includes data that that has become irrelevant or where a data withdraws consent to use their data. According to EUGDPR.org, this right requires that controllers compare the subjects’ rights to “the public interest in the availability of the data” when it considers these requests.

Data portability: A data subject has the right to get a copy of the personal data about them, which has been previously provided in a “commonly-used, machine-readable format,” and to have that data transmitted to another controller.

Privacy by design: Though this is not a new idea, privacy by design is now a legal requirement under GDPR. It essentially means that when new systems are designed, data protection must be considered at the outset. Article 23 specifies that data controllers only hold and process the data that is absolutely necessary for their duties – called data minimization – and limit access to personal data to those who need it for processing.

Data protection officers: A Date Protection Officer (DPO) must be appointed in the case of (a) public authorities, (b) organizations that engage in large-scale systematic monitoring, and (c) organizations that engage in large scale processing of sensitive personal data, as defined in Article 37. Organizations that do not meet any of these conditions do not have to appoint a DPO.

For those for whom a DPO is required, under the new law, data controllers will not have to submit notifications or registrations to local authorities of their data processing activities, but they will have internal record keeping requirements and mandatory Data Protection Officer (DPO) appointments for controllers and processors whose core activities include processing operations that require regular and systematic monitoring of data subjects on a large scale or of categories of data or data relating to criminal convictions and offenses. While DPOs are not new, they were previously regulated at the member state level and there was no uniformity. Under GDPR, certain private sector organizations must appoint DPOs, regardless of their size. The DPO…

–      Must be appointed based on professional qualities, including expert knowledge on data protection law and practices

–      May be a staff member or work for an external service provider

–      Must provide contact details to the appropriate DPA

–      Must receive the necessary resources to conduct their work and maintain expert knowledge

–      Must report directly to the highest level of management

–      Must not carry out any other tasks that could result in a conflict of interest

A DPO will perform the following tasks:

–      Educate organization and any staff who process personal data of their obligations

–      Monitor the company’s compliance with the regulation

–      Offer guidance and advice on data protection impact assessment and performance monitoring

–      Cooperate with relevant authorities

–      Serve as company contact, internally and externally, on issues related to the processing of personal data

GDPR Vendor Solutions

Vendors like Microsoft are already helping their clients prepare for GDPR by offering a variety of data processor and controller educational materials and solutions. Microsoft, for example, has created some simple graphics that explain what will change and what organizations need to know about the new laws.

Microsoft offers cloud services and on-premises solutions to help companies assess their systems and identify and plan for necessary changes. Microsoft also provides a handy assessment and questionnaire for companies to establish a baseline for how much work they need to do to prepare for GDPR. Microsoft is just one of many vendors. Others include IBM Analytics, Veritas and HPE Solutions to name a few. SaaS vendors around the world are eager to help companies comply with the new regulation.

Rules, Regulations and Best Practices

It is in the best interests of data controllers and processors, regardless of their legal obligation and location, to employ a Data Protection Officer to ensure a company’s compliance with GDPR. We encourage subscription companies to take that one step further by developing their own internal best practices. This list or rules, regulations and best practices is not exhaustive or all inclusive. A company’s DPO is responsible for full compliance with GDPR.

1. Data controllers are obligated to engage only those data processors that provide “sufficient guarantees to implement appropriate technical and organizational measures” to meet GDPR requirements, including the protection of data subjects’ rights. Processors must also take all measures required in Article 32.
2. Data controllers must inform data subjects that they have the right to withdraw consent before they give consent. After a data subject withdraws consent, their personal data should be erased and no longer used for processing. [Note: Consent must be specific to EACH data processing operation.]
3. Implement security measures like pseudonymization that reduce the risks to data subjects and help data controllers and processors to meet their data protection obligations.
4. Special categories of personal data such as health-related data should receive higher protection from potential risks.
5. In cases of the public interest, such as public health, constitutional or international public law or the democratic process, it may be necessary for personal data to be collected and processed without the data subject’s consent.
6. Any information addressed to the public or a data subject must be concise, easily accessible and easy to understand and be written in clear and plain language.
7. For transparency, data subjects should be informed of the existence of a processing operation and its purposes, including the existence of and consequences of profiling.
8. Data subjects should have the right to access personal data that has been collected about them and to verify the legality of that processing.
9. A data controller should use all reasonable means to verify the identity of a data subject who requests access to their personal data.
10. A data subject has the right to have their personal data erased and no longer processed when that data is no longer relevant or necessary for the reasons it was originally collected and processed.
11. Data controllers are encouraged to develop interoperable formats that allow data subjects to transmit their data to other processors upon request.
12. Data controllers are obligated to implement “appropriate and effective measures” and be able to demonstrate their compliance, including the effectiveness of their data protection measures. These measures should be regularly tested, assessed and evaluated for effectiveness.
13. Data breach notification must occur within 72 hours after first learning of the breach. If notification does not occur within 72 hours, the data controller must explain why notification was delayed. See The Privacy Advisor’s “Top 10 Operational Impacts of the GDPR: Part 1 – Data Security and Breach Notification” for additional rules, regulations and best practices.
14. Data transfers are permitted across country borders, including outside the EU in certain circumstances. DPOs should be aware of and comply with applicable regulations.

Sources:

Council of the European Union, full text of the regulation, April 6, 2016.

DPO Network Europe

EUGDPR.org

European Commission, “Agreement on Commission’s EU Data Protection Reform Will Boost Digital Single Market,” December 15, 2015.

Lexology, “Brexit and the Data Protection Outlook,” June 24, 2016.

The Privacy Advisor, “Top 10 Operational Impacts of the GDPR: Part 1 – Data Security and Breach Notification,” January 6, 2016.

The Privacy Advisor, “Top 10 Operational Impacts of the GDPR: Part 3 – Consent,” January 12, 2016.

The Privacy Advisor, “Top 10 Operational Impacts of the GDPR: Part 10 – Consequences for GDPR Violations,” March 23, 2016.