On May 25, 2018, the General Data Protection Regulation (GDPR) becomes enforceable. This means that you must be fully compliant with this new set of privacy laws if you have users within the EU.
Building upon the Data Protection Directive 95/46/EC, the GDPR creates a stricter, more complete set of regulations. If you fail to meet the new standards of the GDPR by May 25th, you could face steep fines and other penalties.
Here's a rundown of what new requirements the GDPR puts in place.
While the GDPR is a big deal for privacy law in the European Union, it is more of an upgrade than a revolutionary new set of rules.
The GDPR is shoring up the shortcomings of its predecessors for a more clear and complete set of privacy aws. Much of the ambiguity of previous regulations has been clarified, while some existing policies have been strengthened.
Below is a list of the major changes and updates covered by the GDPR:
- The GDPR unambiguously states that any company processing the personal data of residents of the EU is required to comply with its guidelines, regardless of the location of the company.
- Maximum fines for non-compliance have been increased to €20 million or 4% of annual global turnover (whichever is highest).
- Your Privacy Policy must be easy to read using natural, intelligible language.
- Consent must be given in a clear and easy to understand manner before collecting or processing personal data.
- You may need to appoint a Data Protection Officer with his own set of responsibilities to oversee and carry out processes related to data privacy.
- Subject Access Requests must be completed within 30 calendar days and be provided free of charge, including what information about them is being processed, where it is being processed, why it is being processed, and a copy of the personal data. (Previously this was 40 calendar days with a charge of up to £10).
- You must notify the proper parties within 72 hours of discovering a data breach, and notify users without delay.
- Data subjects have the right to have their personal data erased, cease its dissemination, and stop any processing of that data.
- Data protection should be included from the onset of designing your systems, instead of a later addition.
- You should only collect and process the personal data needed to complete the expected tasks.
- Only those who need access to the personal data should have access to it.
This list does not cover every aspect of the GDPR, but highlights some major changes that you should be aware of before May 25th.
You should read and understand the entirety of the GDPR in order to ensure your practices are adequate, or else you may face fines and other penalties once the GDPR becomes enforceable.
Penalties under the GDPR
Along with the new, stricter regulations of the GDPR, the penalties for non-compliance have also been increased. More authority has also been given to data protection authorities to investigate and penalize those who violate the law.
The maximum penalty has been raised to €20 million or 4% of annual global turnover in the previous year, whichever is greater.
Factors such as how many people were affected, how long they were affected, whether an infraction was intentional or the result of negligence, as well as the degree of cooperation with regulators can all affect the severity of the fines for breaking the laws set forth by the GDPR.
To avoid possible fines and penalties, you should read and understand the entirety of the GDPR before the date of enforcement.
Protected types of personal information
The GDPR enforces restrictions on collecting and processing certain kinds of personal data. These kinds of sensitive data should generally not be collected or processed aside from a few exceptions or special circumstances:
- Race
- Ethnic origin
- Political opinions
- Religious beliefs
- Philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health
- Sex life
- Sexual orientation
Special circumstances that would warrant the collection of such data includes collecting it with explicit consent and a specific purpose, or in order to comply with certain laws or court cases.
There are few exceptions such as scientific research, but even in these cases extra legislation is in place to ensure ethical use of these types of sensitive information.
Your Privacy Policy should be easy to read
One of the most straightforward requirements of the GDPR is to have an easy to read and understand Privacy Policy written in natural language. No more cumbersome legalese.
This ensures that users can actually understand the policies of a company and that the company cannot hide their intentions behind impenetrable mazes of text.
Let's have a look at the intro of the Calm Privacy Policy:
As you can see, this is incredibly easy to read and understand. By using simple, natural language, Calm can effectively inform its users of its policies.
To contrast, let's take a look at the introduction to Mango Languages' Privacy Policy:
While it is not impossible to discern the meaning of this paragraph, it is much more cumbersome to digest with all of the parentheses and quotation marks. You can tell that this was written by a lawyer and is overly technical for the average user. A document that is multiple pages long written in this manner would be excessively burdensome for the average internet user to read and understand.
The objective of this clause in the GDPR is for companies to have a Privacy Policy that is easy to read, like the example from Google. After all, a Privacy Policy is a resource for the average user, not for lawyers or the government.
The GDPR does not call for a complete rewrite of your Privacy Policy, as much of the requested information remains the same. An updated draft written in natural language that complies with the more specific requirements of the GDPR will suffice in most cases. A few additional clauses may be needed, especially to cover topics related to the 8 new rights of users.
Data Protection Officers (DPOs)
The GDPR sets forth new guidelines for Data Protection Officers who are responsible for ensuring that their organization is compliant with the GDPR and other regulations.
The role of Data Protection Officers is important and should be entrusted to a responsible individual who fully understands and is current on the relevant privacy laws for your company.
This individual should be chosen based on qualifications and knowledge of data protection regulations. It is also best if your DPO is knowledgeable about all aspects of your organization so that that they can assist with privacy law as it pertains to all facets of the company.
Here is a snapshot of Article 39 of the GDPR which discusses the duties of Data Protection Officers:
Data Protection Officers are not intended to be an additional burden on your company, but instead to be your resident expert who can ensure you are complying with all relevant privacy laws and answer any questions you or your users may have.
Ideally, a Data Protection Officer will lessen the burden on you and other members of your organization by handling this aspect of operations, leaving you to focus on business tasks.
A Data Protection Officer should be free from oversight that interferes with his or her duties, be free of any conflicts of interest regarding his or her other positions within the company, and be expected to be a part of the company for the foreseeable future.
A Data Protection Officer should also receive the resources, staff, budget and cooperation necessary to complete the duties.
The primary role of a Data Protection Officer is to ensure that data privacy laws are being followed.
You should read the full details about Data Protection Officers in the GDPR as well as the FAQ and be ready to appoint a qualified candidate before May 25, 2018, if your company's primary activities involve:
- Processing operations that regularly monitor data subjects on a large scale,
- Processing sensitive data on a large scale, or
- If you are a public authority
Subject Access Requests (SARs)
Under the GDPR, your users have well-defined rights about their ability to access the personal data you possess about them.
Your company should have a policy in place for how to handle these requests and fully understand the expectations such as timeframe and the penalties for failing to meet these requirements.
In short, a Subject Access Request informs individuals about:
- What personal data pertaining to them is being processed
- Why this personal data is being processed
- Who has access to their personal data
- How this personal data is being used in automated decisions and what processes are use it
This request must be answered within 30 calendar days and include copies of the personal data, as well as the source data, and address the questions above in an understandable format.
The GDPR states that a Subject Access Request must be provided free of charge.
Subject Access Requests can be a hassle if you don't have a system in place to handle them, so be sure to give some thought to how you will handle a request so you can do so sufficiently within the 30 day timeframe to avoid complications or legal repercussions.
Don't procrastinate when receiving a Subject Access Request!
Data breaches
The GDPR sets forth clear guidelines for what must be done in the event of a data breach.
The controller has 72 hours from the discovery of the breach to notify the supervisory authority of the who, what, and why of the breach as well as the measures being taken mitigate harm.
In short, a data breach is a serious occurrence that should be avoided at all costs in order to not only protect your company from what will likely be a lengthy, complicated, and costly process of rectifying the failure to secure personal data, but also to protect the privacy of your users.
You should have a plan in place in the event of a data breach, and all members of your organization should know to immediately contact your Data Protection Officer in the event that they discover such a breach.
Should this unfortunate event occur, do not delay in contacting the proper authorities or think you can handle it internally. The GDPR clearly states all of the steps that must be taken in the event of a data breach.
You should become familiar with this GDPR requirement and consider the procedures you and your company will take should a data breach occur.
GDPR training
Employees of your company should be trained in the requirements of the GDPR so that everyone understands the guidelines set forth by the new law and the penalties for failing to follow them.
Understanding how to handle personal information, the distribution of duties to complete a Subject Access Request, and how to react to the discovery of a data breach are all things every employee should know how to do in order to protect your company and its users.
You can find many resources online as well as organizations that offer GDPR training.
You should read and understand all aspects of the GDPR that apply to your company. While the goal of this article was to bring you up to speed on some of the major changes of the GDPR, the topics above are not meant to be an exhaustive list of every requirement.
You can find the entirety of the GDPR here.
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.