2020 started on a sour note for the Eni Gas e Luce (EGL), an Italian electricity and gas supplying company.
On January 17, 2020, the Italian Supervisory Authority imposed two separate fines of €8.5 million and €3 million on EGL for two different cases of GDPR non-compliance.
The regulatory authorities of GDPR have been busy, indeed.
They have levied more than €114 million in fines for noncompliance in the first 20 months of GDPR in the EU. Facebook and Google are among the companies charged. GDPR compliance has emerged as a challenge for businesses operating globally.
What Is The GDPR All About?
GDPR is about data privacy. Mathematician Clive Humby said in 2006 that data is the new oil. However, it became a buzzword in business circles when The Economist published a report in May 2017: "The world's most valuable resource is no longer oil, but data".
GDPR controls the way businesses generate and use this priceless resource called data. General Data Protection Regulation - that's what GDPR stands for, as we all know. It is applicable across all the EU (European Union) member states.
GDPR also covers the additional European Economic Area (EEA) countries that are not part of the EU. It aims to standardize laws pertaining to data privacy in all the EU and EEA states.
"The right to be forgotten" and the "right to erasure" are two other expressions in use to refer to the GDPR in the EU and EEA countries. This article explains GDPR from an actionable perspective, presenting the ultimate guide for GDPR compliance.
GDPR: A Synoptic Outline
To use the words of the EU's official GDPR overview page, this new European law to protect the data privacy of EU and EEA citizens anywhere in the world is "the toughest privacy and security law in the world."
GDPR has been enacted against the backdrop of an ever-increasing number of people entrusting their personal data to cloud services. Data breaches have also become an everyday affair. GDPR is the EU's response to such breaches.
It lays down standards running into hundreds of pages for organizations to follow. It applies to all businesses, big, medium, or small. It does not matter where on the globe your business has its registered address. Neither does the type of products and/or services you deal with.
If you have an online presence, you are operating in a business environment driven by data. If such data relates to EU or EEA citizens or residents, you have to ensure GDPR compliance. Any failure to comply would lead to tough fines being levied.
The GDPR Has A History
GDPR draws from the right to privacy enshrined in the European Convention on Human Rights, 1950. Europe's first response to the need to protect its citizens' right to privacy in the internet era was the European Data Protection Directive (EDPD) passed in 1995.
The GDPR is an improved, more comprehensive, tighter, and tougher version of the EDPD. It got passed by the European Parliament in 2016 and became applicable across all the EU and EEA states on May 25, 2018.
The Scope of the GDPR
The GDPR applies to any business that has the personal data of EU and EEA citizens and residents. It also applies to all businesses that supply goods and/or services to EU and EEA citizens and residents. The company need not have any physical presence in the EU.
Let us clarify this with an example. You may be a California-based content development company offering your services mainly to companies in California, USA. You will still come under the purview of GDPR if you track and analyze the data of EU visitors to your site.
Article 3 of the GDPR outlines the geographical applicability of the law. It is critical to fully understand the territorial implications. Occasional use by European visitors does not require a non-EU business to be GDPR compliant. Monitoring of personal data of EU and EEA citizens and residents does.
Suppose you are a florist based in Cambridge, Massachusetts. A French youth based in Lyon orders a bouquet of roses online from your shop to be delivered to his girlfriend studying at the Massachusetts Institute of Technology (MIT). For this one order, you need not worry about GDPR compliance.
However, suppose you get similar orders from French and Italian people every now and then. You offer a price list in Euros because you have analyzed such visitors' behavior. That will be interpreted as a sign of data monitoring and will attract fines for GDPR non-compliance.
How The GDPR Interprets Data Monitoring
Simply put, the GDPR interprets the use of web services to track cookies or IP addresses of visitors to a site as behavior monitoring. When such data relate to EU or EEA citizens or residents, you need to be GDPR compliant.
However, the official GDPR overview webpage admits that there is a lack of clarity about how strictly the GDPR regulators will interpret and apply this behavior monitoring provision.
Suppose a group of German golfers visit the golf course that you run in Florida with an almost exclusively local membership. Technically speaking, your golf course would come within the ambit of GDPR. Would the German regulators scan you for compliance?
That is unlikely. However, suppose you start sending promotional materials to those German visitors. They feel pestered and decide to complain. That could cause problems for you. There is a high probability that you will then be interpreted as GDPR non-compliant.
Critical Concepts in the GDPR
Given the acknowledged ambiguity in defining what constitutes data monitoring, it is a good idea to know exactly how the GDPR text defines the central concepts. Here's what you need to know:
The GDPR considers any kind of personal data to be private and protected unless there is a legal necessity to reveal it or the individual concerned has given consent for using the data. The concerned individual must give such consent voluntarily.
Any kind of direct or indirect pressure to secure consent would imply that the consent given was not free. Consent also needs to be informed and specific. That means the individual must clearly understand what kind of data they are giving consent for processing.
It is also important for the consenting subject to clearly know who they are giving permission to. It is critical that the consenting subject expresses consent in writing or through an act. Implicit consent is not enough.
For instance, if someone browses your site without clicking on the "OK" button on your using cookies, you cannot assume that you have their consent. That act of clicking ok is necessary.
The consenting individual must also know that they have a right to withdraw consent at any given point. Also, consent from anyone under the age of 16 needs to be backed by parental consent. Some EU member states may lower the age limit by national law, but not below 13.
The only exemption to the age limit clause applies to services meant exclusively for children. Anything that caters to both children and adults does not enjoy this exemption.
Personal Data :
This is the defining concept of GDPR as the law applies only to personal data. Any information that makes an individual identifiable is considered personal data, taken in the broadest sense possible. Identity includes cultural, genetic, physical, physiological, and social aspects.
However, personal data only applies to individual human entities who are still alive. GDPR does not cover a person who is no longer alive. Corporations or any other organization also do not fall within the ambit of the GDPR's definition of personal data.
The GDPR permits personal data processing only if a company is under the "commissioned data processing" provision. A company needs to secure documented instructions from the data controller for this. The provision requires a company to keep a record of data processing.
A company with permission for commissioned data processing needs to immediately inform the data controller of any changes to data-related policies. Both the data controller and the commissioned company are jointly responsible to ensure GDPR compliance.
However, either party can exculpate themselves by proving that they were not responsible. For instance, if a data breach happens because the commissioned company had failed to communicate with the data controller about a change in policy, the company alone will become responsible.
Right of Access:
An individual has the right to modify the personal data they will allow for processing. An individual also has the right to erasure of all personal data. That is what the right of access means.
➔The kind of personal data to be processed
➔ The purpose of processing personal data
➔ Where the data originates and how it gets processed
➔ Recipients of processed data
➔ Safety measures observed during data transmission
➔ The duration of data storage
➔ An individual's right to rectification, restriction, and erasure of personal data
➔ An individual's right to complain about a privacy breach
Data Protection Officer (DPO):
The GDPR requires all public bodies, other than courts, to appoint a DPO. For private companies, the need for appointing a DPO depends not on the size of the company, but on the kind of data a company collects and processes.
The territorial norms for the need to appoint a DPO are the same as explained before. It is also important to note that some EU member states have specific national laws about DPO appointments.
Section 38 of the German Federal Data Protection Law, for example, has provisions for the appointment of a DPO stricter than the provisions of the GDPR. The French data protection authority CNIL, on the other hand, recommends DPO appointments on a voluntary basis, unless specifically required by the GDPR.
GDPR compliance chances are better when a company ensures that all personal data collected, stored, and processed by the company remains encrypted. That applies only when such data has been collected with expressed consent by an individual.
Simply put, data encryption renders the contained data unreadable to any third party. It, thus, minimizes the chances of data hacking by unintended third parties. The encryption clause is particularly critical for email marketing.
The Right to Erasure and the Right to be Forgotten:
These two are closely connected, but not exactly the same. The right to erasure requires specific action by an individual, but the right to be forgotten does not.
The right to erasure entitles an individual to ask in writing for all personal data to be erased. The concerned company must respond within a month. The right to be forgotten implies that all personal data must automatically be erased once the original purpose gets fulfilled.
The right to be forgotten also requires companies to erase all personal information once the period for which consent was given is over.
Cookies and the GDPR
- Receive explicit user consent except for the cookies strictly necessary for your webpage to function.
- Information on what exactly your cookies will track and for what purpose must be available to the user in jargon-free language.
- You must document and store the consent received from users.
- Users must have easy access to withdraw consent.
Fines And Penalties Under GDPR
The fines and penalties for GDPR non-compliance are harsh, to put it mildly. There are two tiers of penalties, depending on the nature of the violation. Infringements considered less severe may attract a fine of up to €10 million or 2% of the company's global annual revenue from the previous financial year. Infringements considered more serious may attract a fine of up to €20 million or 4% of the company's global revenues in the previous financial year. Whichever is higher applies in both cases.
The parameters to decide the severity of the data breach are;
- Gravity and Nature of the Infringement: what exactly happened, how it happened, why it happened, and how much data of how many individuals got breached.
- Data Category: The kind of personal data that got affected by the infringement.
- Intentionality: Whether the infringement happened by intention or negligence.
- Mitigation Attempts: Whether the company involved took any steps to reduce the impact of the infringement of data.
- Precaution: The degree to which the company had put in place systems for GDPR compliance.
- Previous Record: The firm's history of compliance or non-compliance with data protection laws and policies in place before the GDPR got enacted.
- Certification: Whether the company got a certification as GDPR compliant by applying the necessary codes of conduct.
- Notification and Cooperation: Whether the firm took steps to proactively notify the concerned regulatory authority about the data breach and the extent to which the company cooperates with the regulatory authority during the investigation.
- Other Factors: The financial gains that accrue to the company because of the data infringement, or the amount of financial losses the firm can prevent through the infringement.
Exceptions To GDPR
There are only two exceptions to the applicability of the GDPR. It does not apply to data used for a purely personal purpose that has nothing to do with the functioning of a company. It does not apply to companies with less than 250 employees either. Small companies with less than 250 employees do not enjoy a blanket exemption, though. Such companies need to ensure GDPR compliance if they process the personal data of EU or EEA citizens and residents on a regular basis.
GDPR compliance becomes imperative if a small company has regular transactions with one or more large organizations. The general advice for small companies is to conduct a data protection impact assessment (DPIA). A DPIA is a must for a small company when the company:
- Employs a new technology
- Tracks people's behavior and/or location
- Systematically monitors a large-scale publicly accessible place
- Processes personal data related to ethnic/racial origin, political views, religious beliefs, sex life or sexual orientation, and trade union membership
- Processes biometric or genetic data for identifying a human individual
- Processes data for automated decisions that could have a legal impact or something similar to that
- Processes children's data
- Processes data that could cause physical harm if leaked
You can check out the DPIA template here. However, broadly speaking, small companies with less than 250 employees can remain safe from GDPR penalties if they apply the simple measures listed below:
- Use an encrypted email service
- Implement cybersecurity measures
- Cultivate a cybersecurity culture: train staff about the security measures, monitor how employees maintain the measures and regularly review the cybersecurity measures to ensure adequacy
Brexit and GDPR
As of now, the UK remains within the purview of the GDPR until the transition period ends on 31 December 2020. The UK government has formulated a statute entitled the Data Protection, Privacy, and Electronic Communications (Amendments, etc) (EU Exit) Regulations 2019.
This is likely to develop into a full-fledged UK-GDPR law by the time the transition period ends. However, there is little difference between the GDPR and the UK statute in practical terms.
GDPR May Change in 2020
"Not having control over our data makes us vulnerable." That is what Margrethe Vestager, the Executive Vice President of the European Commission had said in her keynote address at the Data Protection Congress of the International Association for Privacy Professionals. That was in November 2019. The year 2020 is likely to introduce stricter enforcement of the GDPR. Greece, Portugal, and Slovenia have to align their national laws with the GDPR without further delay. However, the EU's new ePrivacy Regulation is likely to be further delayed. Once that comes into force, there will be implications for how cookies currently function. Until that happens, it makes sense for businesses with a global presence to ensure GDPR compliance to avoid paying hefty fines.