May 21, 2018 • Daniel Monday
Please note: We are not attorneys and the information below does not constitute legal advice. If you are in need of legal assistance, please speak with an attorney. The text below is for informational purposes only.
On May 25th, 2018, The European Union (EU) will undergo the most significant change to data security in the last 20 years. The EU enacted the General Data Protection Regulation (GDPR) as a framework to monitor and govern the collection, processing, storage, and use of personally identifiable information relating to any individual in the EU (including citizens, residents, and visitors) as well as EU citizens living abroad.
The GDPR is a new framework for data protection laws, replacing the dated 1995 data protection directive originally made when the internet was still in its infancy. After four years of negotiation, GDPR was adopted by both the European Parliament and the European Council in April 2016.
GDPR Article 3 notes that a company is subject to the new regulations if it processes personal data of an individual residing in the EU when the data is accessed. That means, then, that GDPR can apply even if no financial transaction occurs. If a company is engaged in monitoring the behavior of EU residents (e.g. tracking and collecting information about EU users to predict online activities), the GDPR will likely apply to that company.
Perhaps the greatest change to the data protection landscape comes with the extended jurisdiction of GDPR. The new scope applies to all companies that process personal data of individuals living in the European Union, regardless of the location of the company. GDPR provides protection to EU citizens no matter where their data ends up.
This means that all companies across the globe that have a database that includes EU citizens are bound by GDPR. In order to comply, American companies should either (a) block all EU users from accessing the website or (b) have systems in place to ensure compliance.
Effective May 24, 2016, and enforced May 25, 2018, this regulation brings about steep changes to international data security. Among the changes is a list of citizen rights under GDPR, which include the following:
The GDPR applies to “data controllers” and “data processors.” Data controllers determine the means of processing personal data, while data processors are responsible for processing personal data on behalf of a controller. The GDPR places specific legal obligations on data processors including legal liability of personal data breaches. Data controllers also have specific obligations including ensuring contracts with processors comply with GDPR.
Under GDPR Article 4, “personal data” means information relating to an identifiable natural person. A person can be identified from a wide range of information including name, ID number, location data, online identifier or other factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. This includes everything from IP addresses, social media posts, cookie strings, and online contacts to mobile device IDs.
Further, GDPR maintains that companies must have a “valid lawful basis” in order to process personal data. The valid lawful basis is defined below:
Companies need to ensure that data processing activities are carried out in line with the “Data Protection Principles” set out in the GDPR. GDPR Article 5 maintains that personal data shall have the following principles relating to processing:
The changes introduced by the GDPR to the Data Protection Principles are not radical, however, they do consolidate the importance of those principals with respect to data processing activities. In particular, the principles of transparency, minimization of data, data integrity, and confidentiality, are now clearly defined as Data Protection Principles under GDPR.
The GDPR imposes significant fines for companies that fail to comply. Penalties and fines, calculated based on the company’s global annual turnover of preceding financial year and, defined in GDPR Article 83, can reach up to 4% or €20 million (whichever is greater) for non-compliance with the GDPR, and 2% or €10 million (whichever is greater) for less important infringements.
It remains to be seen how the regulating authorities will enforce GDPR fines. For now, most U.S. companies that aren’t conducting business in Europe can easily take the steps needed to ensure GDPR compliance. Here at Slamdot, we ensure that the marketing services that we use for our marketing clients are GDPR compliant.