The General Data Protection Regulation and How to Apply It

We are living in the age of big data. Our smartphones, apps, and even machines generate massive amounts of information, and storage capacity is cheaper than ever. These are two factors that explain the emergence of Business Intelligence: the science that extracts commercial insights from data, and makes companies grow. But we should not forget that data is about people, and that brings responsibilities, both ethical and legal.

A Brief History of the GDPR

Before 1995, we were living in a world without social media and cloud storage, and only about 1% of the European population had access to the Internet. That's why the Data Protection Directive of 1995, established to protect European citizens' privacy rights, had to be updated. After four years of preparation and debate, the General Data Protection Regulation (GDPR) was approved by the European Parliament in April 2016. It superseded the 1995 Data Protection Directive. The GDPR will go into effect in May 2018.

What Is the GDPR?

The GDPR aims to protect all EU citizens from privacy and data breaches in an increasingly data-driven world. Its goal is to give Europeans more control over their own private information in a digitized world of smartphones, social media, internet banking and global transfers.

The GDPR focuses on:

  1. Reinforcing individuals' rights
  2. Strengthening the European internal market
  3. Ensuring stronger enforcement of the rules
  4. Streamlining international transfers of personal data
  5. Setting global data protection standards.

These changes will give people more control over their personal data and make it easier to access it. They are designed to make sure that personal information is protected - no matter where it is sent, processed or stored - even outside the European Union, as is the case on the Internet.

What Is Personal Data?

You may not be sure if the GDPR applies to you. Chances are, it does! After all, the GDPR scope of personal data is very broad. Personal data is defined as any information relating to an identified or identifiable person. A person is considered identifiable if he can be directly or indirectly identified.

This is already the case when an identifier is used. Examples of identifiers are: a name, an identification number, a person’s location data, or an IP address. Moreover, a person is also identifiable if one or more facts are gathered that are characteristic of his physical, physiological, genetic, mental, economic, cultural, or social identity.

In fact, it does not take much at all for data to be considered personal data.  Unintended or deliberate combinations of items of non-identifiable data may cause the data to become identifiable.

The rules and obligations of the GDPR apply as soon as data begins being processed. The GDPR defines processing as performing any action or set of actions on data, automated or otherwise. Some examples include recording, structuring, or even destroying data. In other words, whenever you handle personal data, the GDPR applies.

Strong Enforcement of the Rules

Each organization is obligated to demonstrate their compliance in a number of ways. They must prove staff have undergone proper training. Organizations also need to remember that personal data is not only customers' and clients' data but also their employees' personal data. Anyone who anonymizes data is still bound by the law, because they have access to the data in the first place.

Data processors have been given until May 25, 2018 to switch to a data processing method that complies with all the GDPR requirements and standards. After that date, organizations will be held responsible for any violations. Failure to comply can lead to severe penalties of either up to 4% of the company's annual global turnover or 20 million Euro.

This is the maximum fine that can be imposed for the most serious infringements. There is a tiered approach to fines. A company can be fined 2% for not having their records in order, or not notifying the supervising authority and impacted person about a breach. Failure to conduct an assessment is also liable for the same fine.

There Is a Silver Lining

Complying with these rules does have benefits. Doing business in the European countries will be less expensive and complicated as all countries have the same rules. This harmonization is expected to save businesses up to 2.3 billion Euro per year. Also, the GDPR can lead to enhanced client satisfaction, and new clients will be attracted to a company that is known for respecting their clients’ privacy.

Relevant for Everyone who Trades with EU Countries

The GDPR applies to all companies processing the personal data of individuals residing in the European Union. This is regardless of the company’s location. Exceptions are made for processing that falls outside the scope of European legislation or when personal data is processed by competent authorities in order to fight crime. Furthermore, the regulation does not apply in the event that a person has died.

The GDPR is Based on 6 Principles

The principles of the GDPR are focused on the privacy rights of every individual when it comes to collecting and processing their data:

  1. Lawfulness, Fairness, and Transparency: This principle dictates that personal data needs to be processed in a way that is lawful to the subject.
  2. Purpose Limitation: The data processors can only use the data for the objectives they’ve explicitly described and justified.
  3. Data Minimization: The information that is required must be relevant to its purpose and limited to what is necessary.
  4. Truth and Accuracy: If some of the data is inaccurate, it should be removed or rectified.
  5. Storage Limitation: Data is kept in a form which permits identification of persons for no longer than is necessary.
  6. Integrity and Confidentiality: All required measures must be taken to ensure all personal data is protected.

6 Privacy Rights

The number of rights assigned to individuals has been extended under the GDPR. These include:

  1. The right of a person to be informed when personal data relating to him is gathered.
  2. The right of inspection.
  3. The right to obtain the erasure of personal data (the right to be forgotten).
  4. The right to processing restrictions.
  5. A person's right to have his data transferred to other data processors.
  6. The right not to be subject to a decision based solely on automated processing, including profiling.

Any breach of these rights qualifies for sanctions. It is therefore essential to set up procedures for complying with these principles and rights. You must be able to demonstrate these procedures.

The Right to be Forgotten

The previously mentioned 'right to be forgotten' needs some clarification. When an individual no longer wants his data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted.

It should be clear, this is about protecting the privacy of the individual, not about erasing past events or restricting freedom of the press. Freedom of expression, as well as historical and scientific research are safeguarded. For example, no politician will be able to delete their remarks from the World Wide Web. This will allow news websites to continue operating as they have before.

International Organizations: These Rules Apply

International organizations need to take notice. Personal data is only to be transferred to a third-country if an adequate level of protection is ensured. Third countries should be governed according to the rule of law, and respect human rights and fundamental freedoms. Moreover, transfers are subject to appropriate safeguards.

The GDPR also brings some new obligations to controllers. The regulation describes a controller as 'a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means for the processing of personal data'. Controllers are obliged to keep a record of the following data:

1.           The name and contact details of the controller and of the data processing officer appointed by the controller, as well as the processor, if applicable.

2.           The processing objectives.

3.           A description of the categories of personal data.

4.           The categories of recipients to whom personal data has been or will be supplied, including when these are international organizations or located in third countries.

5.           The third country or international organization to which the controller transferred personal data and the documents concerning appropriate safeguards for governance.

6.           The envisaged periods of time within which the different categories of personal data must be deleted.

7.           A general description of the technical and organizational security measures.

Controllers are not the only ones who are obliged to keep these records. People who support controllers' tasks, like IT professionals for example, need to oblige too.

The GDPR Cites 'Privacy by Design' and by 'Default'

The GDPR explicitly cites the concepts 'privacy by design' and 'privacy by default'. The controller is obliged to implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose are processed. That obligation applies to the amount of personal data collected, the extent of the processing, the period of storage, and accessibility. Such measures must ensure that personal data are not made accessible to an indefinite number of people, without the individual’s intervention.

What the GDPR Means for You

There are plenty of challenges ahead. We can only advise you to draw up a sound strategic plan. Produce a proper inventory in advance of the tasks to be completed and the time needed to implement the plan. Develop in-house connections with people who can provide you with partial assistance. Produce a realistic and pragmatic project plan.

Of course, all personnel dealing with customer data will need to be aware of their responsibility in safeguarding its privacy and security. Specifically, Privacy Officers, Compliance Officers, Security Officers and Business Continuity Managers will need to understand and put into practice the GDPR requirements.

Do You Need a Data Protection Officer?

A Data Protection Officer can help you make the transition by supporting, advising, and monitoring implementation and security for personal data processing. The ideal candidate might be described as a cross between an IT security expert and a lawyer.

According to the GDPR, you are not necessarily obliged to appoint such an officer. It is an independent position. All in all, it may be more practical to train your own people in GDPR relevant skills.

How EXIN Can Help
The EXIN Privacy & Data Protection program covers the required knowledge of regulations relating to data protection. It will certify professionals with the required level of knowledge to face these opportunities. Some topics the program addresses are:

  1. European Privacy Law
  2. Sensitivity to Privacy Issues
  3. Privacy and Security

The EXIN Privacy & Data Protection program expands your portfolio with a subject in high demand. This certification will strengthen your career opportunities and credibility in your field. Both you and your employer will reap the benefits!

Some Useful Links

Official GDPR document

Press release EXIN Privacy & Data Protection

Whitepaper on GDPR compliance