This article provides a four step guide to GDPR compliance.
Privacy and data protection may not matter to many outside of Europe. This will change in May 2018 when new EU privacy laws come into force coercing global businesses with clients in the EU to comply with the General Data Protection Rules (GDPR).
The primary objectives of the GDPR are to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Who needs to comply?
This new data protection regime will extend the scope of the EU data protection law to all foreign companies handling personal data of EU residents. All organisations collecting and processing personal data of EU residents must ensure GDPR compliance; irrespective of a business’s physical location.
Even businesses without a physical presence in the EU may have to comply with the new rules.
All businesses with customers in the European union or that track the online behaviours of individuals who live in the EU must abide by the new rules. Businesses with links to Europe need to come up with a strategy to ensure they are GDPR compliant by May 2018. Else they risk hefty fines for non-compliance.
Data protection authorities will have the power to impose fines of up to €20 million or 4% of annual worldwide turnover for any breach of the GDPR.
In addition, any person who has suffered damage as a result of infringement of the GDPR has the right to receive compensation from the data controller or the data processor.
Step 1: What personal data is being collected and processed?
First, identify information that may fall under the scope of the GDPR. A basic understanding of the meaning of “personal data” is needed.
Personal data is broadly defined in the GDPR.
Personal data is any information relating to a natural person who can be identified either directly or indirectly. Personal data may relate to a person’s private, professional, or public life. It can be anything from a name, a photo, an email address, employment details, interactions on social media, medical records, or even an IP address.
Personal data includes for instance:
- Personal details such as the person’s name, address, email
- Financial details such as how much the person earns, credit ratings
- Medical details about a person’s mental or physical health
- Details about a person’s ethnicity, political opinions, religious beliefs, or sexual life
- Images or voice recordings of a person
- Employment details
- IP address of a person that visits a website
- Criminal records or alleged offence
- Biometric data
The GDPR does not apply to personal data that has been anonymised so that an individual can no longer be identified from the information itself.
Step 2: How is personal data collected?
Second, how did your business collect the personal data? Did you collect the information from the individual themselves or a third party?
The GDPR approaches consent more restrictively.
Consent must be specific to distinct purposes for handling personal data. Particular conditions are imposed in the case of children online and for sensitive personal information.
Step 3: Why is personal data collected and processed?
Third, businesses will need to think about the reasons they are collecting and processing personal data.
Reasons may be manifold such as processing a sales order, administration of staff, complying with laws and regulations, marketing activities, profiling etc.
Step 4: What is the legal basis for collecting and processing personal data?
Fourth, based on your answer in step 3, on what legal basis does the business handle personal data? Businesses need to be clear about the legal ground or grounds for which they process or hold personal data. The GDPR prohibits the processing of personal data unless there are legal grounds to do so. In other words just because a business can collect and process data does not mean it is also legally allowed to do so.
Legal grounds for collecting and processing of personal data include:
- to perform a contract;
- the individual concerned has given consent;
- the data controller has a legitimate interest;
- statutory obligation to collect and retain information (e.g. employers);
- to perform the lawful function of a public authority; or
- for the protection of vital interests of that person.
Personal data must be handled for specified and explicit purposes. During the life cycle of data, the personal data cannot be further processed in ways that are incompatible with those specific purposes.
GDPR compliance is not a one-off task. It is an ongoing process. Relevant privacy policies should therefore continuously be monitored, reviewed, and most importantly communicated to staff.
Why are privacy standards high in Europe?
In Europe, the protection of a persons in relation to the processing of personal data is a fundamental right.
Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.
The European understanding of privacy is deeply rooted in human dignity and autonomy. It implies that each person can control and draw the line between their public and private sphere.
The basic idea is that people should be able to control personal data about them also called “informational self-determination”. This means that individuals have a right to determine when, how, and for what purpose personal information about them is disclosed.
Businesses and institutions need to review their privacy policies and information security procedures to ensure compliance with the new set of European data protection rules.