The rest blog posts of the series can be found here:
Your Most Burning Questions About GDPR Answered. Part 2/3
Your Most Burning Questions About GDPR Answered. Part 3/3
Recent studies investigating readiness for GDPR are not optimistic. A survey published in November 2017 by cloud security firm HyTrust showed that only 22% of US organisations are concerned about GDPR and have a plan in place.
You might assume that things look better in Europe, but in fact they don’t. With May 25 just a few months away (when the regulation comes into effect), 60% of EU-based respondents to a survey by Varonis Systems said they face serious challenges in being GDPR-compliant. Considering the very heavy fines for not meeting GDPR requirements, this is a worrying state of affairs.
That’s why we decided to gather the most common questions about GDPR and answer them in a series of blog posts. We hope that this will help you speed up your preparations for the new EU Regulation.
Here they are:
GDPR (The General Data Protection Regulation) is a Regulation prepared by the European Parliament, the Council of the European Union, and the European Commission. It’s intended to replace the 1995 European Data Protection Directive (95/46EC). The idea behind GDPR is to provide individuals with full control over their personal data, as well as to strengthen and unify rules governing data collection from individuals within the European Union.
Additional reading: General Data Protection Regulation (GDPR): Actionable Facts and Steps to Follow
The text of GDPR is available here.
GDPR enters into force on 25 May, 2018.
Article 4.1 of the General Data Protection Regulation defines personal data like this:
[…] “Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”.
The Regulation significantly expands the definition of personal data in Directive 95/46/EC. For instance, GDPR treats online identifiers and location data as personal data, and thus demands they be protected in the same way as other identifiers, like information on the genetic, economic, or psychological identity of a data subject. What’s more, it includes cookies as one of the online identifiers.
GDPR states that all cookies (including pseudonymous ones) can be considered personal data if there is any potential to use them to single out or identify an individual. This is detailed in Recital 30 of the new law:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them”.
The territorial scope of the new regulation is quite broad. GDPR will impact not only EU-based entities, but virtually every business dealing with customers (a.k.a. data subjects) within the European Union – both data controllers (like companies) and data processors (like cloud-software vendors).
Yes, you do. If you want to process data about your users, you’ll need to get their permission first. As Article 4.11 of the Regulation says:
“[…] Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
Under the new rules, just visiting your website for the first time won’t qualify as consent for processing visitors’ data, even if you provide them with information like: “By using this site, you accept cookies”.
If there’s no truly free choice and affirmative action, it won’t count as a consent.
However, it turns out that not every type of data processing will require consent from your users. The ePrivacy Regulation (Regulation on Privacy and Electronic Communications) in its most recent form makes an exception for personal data used for web analytics purposes. So, if you’ve installed a web analytics tool and you use the collected data only to assess the performance of your website, you probably don’t need to worry about this part (we’re still waiting for a final legal opinion on that).
However, if you push your analytics data to other marketing and advertising platforms (like DSP or DMP), create remarketing campaigns (for instance using Facebook, LinkedIn or Twitter remarketing pixels), install tracking codes on your website or personalize its content based on your user behavior, you’ll need to get consent for each of these activities.
You may be wondering how to resolve these issues.
The text of the regulation doesn’t give specific instructions for acquiring permission to process personal data. However, GDPR lists examples of “affirmative actions” indicating consent. These include:
- choosing technical settings for information society services,
- ticking a box on a website, or
- another statement or conduct clarifying the indication of consent.
We think that the best way to tackle the issue is by using a pop-up shown when the user visits the website for the first time. PageFair has created a great example of what it could look like:
What makes it GDPR-compliant is that it:
- lists every purpose for which personal data will be used
- requires an action on the user’s end (after all, they have to click the box if they want to consent)
Additional reading: [Infographic] How to Collect and Process Data Under GDPR?
GDPR imposes two levels of fines:
1) The first level is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher.
2) The second level is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
What’s important is that supervisory authorities are empowered to impose administrative fines on both data controllers and data processors. Fines can be imposed instead of or in addition to other measures ordered by supervisory authorities.
Additional reading: Fines and Penalties – by gdpreu.org
As you probably know, GDPR is a high-level regulation addressing the processing of every possible form of personal data. That said, it also contains a couple of specific demands. We can list the following obligations set out in GDPR:
GDPR defines pseudonymization in Article 4.5:
“the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.”
However, although Recital 28 recognizes that pseudonymization “can reduce risks to the data subjects,” it’s not considered a sufficient technique to exempt data from the scope of the regulation.
Recital 26 states that:
“Personal data which have undergone pseudonymization, which could be attributed to a natural person by the use of additional information, should be considered to be information on an identifiable natural person.”
In layman’s terms: this means that pseudonymized data is still considered personal data, and needs to be handled in a manner consistent with the provisions of GDPR.
GDPR also establishes the obligation to report a data breach to the supervisory authorities and affected data subjects within 72 hours. This obligation is contained in Article 34 of the GDPR which says that:
“When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay”.
Under the new regulation, most organizations will need to set up alerts to not only passively review security procedures, but also to wake someone up in case of trouble during the night. The affected organization should also set procedures in motion to correct these security issues, and decide if they should declare a data breach, as well as document their decision.
GDPR also introduces obligations related to data protection impact assessments (DPIAs). Article 35 states that:
“In order to enhance compliance with this Regulation where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk”.
Later in that article we can find the following guidelines on performing DPIAs:
“That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with this Regulation”.
This means that if you want to process personal data, you need to set up a reliable chain of responsibility between you and your technology provider, and include it in Data Processing Agreements (DPAs). This keeps you on the same page as your technology provider, and you both know what’s expected of you under the new laws.
You can find more guidelines on handling DPAs with your business partners in Article 29 of the Data Protection Working Party. This is a document prepared by a group made up of all the national regulators from each country in the European Union.
Additional reading: ARTICLE 29 Data Protection Working Party.
The “data minimization” principle is contained in paragraph 1 (c) of Article 5, which emphasizes that:
“personal data shall be adequate, relevant and limited in what is necessary in relation to the purposes for which they are processed”.
Not sure what this means? Among the requirements imposed by GDPR, it demands that companies collect data about their customers only if it serves a specific purpose. What’s more, the data should be up-to-date, accurate, relevant, and its use should be accepted by each individual.
This obligation may result in many positive changes. For instance, it eliminates situations in which companies collect every available piece of information about their customers they can find, leading to databases full of useless data.
Important note: We also have to remember about ePrivacy – a Regulation that fills many gaps in GDPR addressing digital marketing and other digital activities. You can read about it in this blog post.
Keep in mind that GDPR impacts every business dealing with clients from the EU, not only companies based within the European Union. If your company does any form of trade with customers within the EU, then GDPR rules will apply to you if you store, process or share EU citizens’ personal data. This is true regardless of where your business is located.
Overview and scoring of how websites have adapted to data privacy regulationsDownload FREE Report
We hope that our answers have helped dispel some of your doubts about getting ready for GDPR. However, if your questions are not on our list, don’t worry. In the weeks to come we will answer many more. Stay tuned!
But if you need answers right now, our team is always happy to help! Feel free to drop us a line anytime you want.
The rest of the series can be found here:
Your Most Burning Questions About GDPR Answered. Part 2/3
Your Most Burning Questions About GDPR Answered. Part 3/3