Aimed at providing a unified method to protect personal data maintained by businesses and organizations in the 28 nations within the European Union, the European Union General Data Protection Regulation (EU GDPR) has been on the books since May 2018. The regulation was created in response to a perceived need to further protect personal data of residents of the European Union — data that today is processed primarily through digitization.
Previously, data protection laws in the EU varied from country to country, a scenario the GDPR looks to change by replacing the Data Protection Directive of 1995 with a more robust regulation that standardizes and strengthens the role and control of data authorities. Before we go any further, let’s make it clear – businesses, no matter their size, that collect personal data of a resident of the EU are subject to the revised GDPR, although some flexibility may be granted to particularly small companies.
While this nutshell explanation of a complicated regulation sounds basic enough, there are many ambiguities inherent to the new “hot topic” rules – in particular, how personal data is defined. Many of the requirements in the GDPR already exist under state, federal and national laws; however, the regulation now places the control of personally identifiable information squarely in the hands of the individual, referred to as the “data subject” under the new GDPR standards.
As with most data breach laws, the information in question is that of the individual rather than the individual’s corporate data. Since personal data is loosely defined by the GDPR, problems can arise. Article 4 (1) of the GDPR characterizes personal data as “any information relating to an identified or identifiable natural person (data subject).” It further defines “natural person” as “one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” This is a generic and far-reaching definition; an argument could be made that any information relating to the individual is in line with the description. GDPR recognizes that a “natural person” can be identified by their characteristics as well as their electronic address, better known as their IP (Internet Protocol) address.
That said, since data breach laws have become so prolific, it is best for businesses to gather only the information needed. For example, in the past, most forms used by doctor’s offices and other medical and professional organizations asked for Social Security or other national identification numbers, color of hair and eyes, and height and weight statistics. Today, that information should be eliminated from personal data forms unless there exists a legitimate purpose for its documentation. When gathering personal data, the individual must provide his approval in a written form. The form cannot just ask to have the individual check a box; the individual must sign a statement each time the company needs to use their personal data.
Since data breach laws have become so prolific, it is best for businesses to gather only the information needed.
Under the revised GDPR, those businesses and organizations that store personal data of a resident of the EU must appoint some type of data protection officer, or at minimum, someone tasked with overseeing the data flow of personal information. Moreover, a data flow chart must be created and tested to ensure data genuinely flows in the way the chart outlines and is free from being breached. Data flow charts are imperative to determine if the personal data is being handled the way it was intended. Personal data needs to be accurate and able to be removed if requested by the individual.
The new regulation also encompasses a “right to erasure” or “right to be forgotten.” This article mandates businesses and organizations to have a process in place for individuals to request elimination of their personal information from company files if the data is no longer relevant. This process must also appear in flow chart form. On appearance, the “right to erasure” seems straightforward; however, the deletion of even a single piece of data could be a complex undertaking as that specific information might have been transferred to other databases, aggregated or shared with third parties.
The “right of access” article specifies that individuals have the right to see how their personal information is being used and to check if the data is accurate. A data retention and destruction process is required under the new GDPR, with disciplinary actions taken if all above stated procedures are not in compliance.
Enforcement is another area where definition comes into play. Authorities in individual European Union nations are responsible for enforcing the GDPR. As such, some member states will take a more hardline stance than others – particularly when it comes to fines. It should be noted that the European Data Protection Board serves as mediator when conflicts occur between member state authorities and regulation guidelines. Data subjects, businesses, organizations and regulators also have the option of seeking a decision in matters of dispute with the European Court of Justice.
Non-compliance with the new regulation can be a costly gamble. There exists a two-tiered approach to fines, with various levels of breach in place. Authorities possess the ability to levy fines of up to 4 percent of a company’s global revenues or $25 million – whichever number is higher – for the most serious infractions. These might include breaching an individual’s data and/or privacy rights, disregard of basic data protection tenets or refusal to observe previous warnings/orders.
Non-compliance with the new regulation can be a costly gamble.
The lower tier carries a 2 percent of annual turnover fine. Secondary tier infringements might include failure to integrate data protection policies into services offered to the public. Businesses that don’t cooperate with a data regulator are likely to fall within this tier, as are those who fail to assign a data protection officer, do not inform data subjects if their information is compromised, or do not maintain sufficient records of processed data.
Furthermore, businesses that are fined for any level of non-compliance may find themselves in a data protection fishbowl and open to further fines unless action is taken to reduce their risk exposure and increase data protection management.
The jury is still out when it comes to how strict regulating authorities will be, given that the new GDPR has been in place for merely a few months.
Businesses have had quite a while to ready themselves for the GDPR, although preparedness is decidedly more of a challenge for some than for others. Large companies, such as financial institutions, have historically been subject to greater levels of data protection regulation, but for the most part, companies are still working toward compliance. In particular, the “right to erasure” requirement can be a major sticking point for small businesses struggling to put the systems and processes to accommodate this mandate in place.
Companies, in general, must have a thorough understanding of the personal data stored and processed, where and how it is stored, and a clear awareness of if/where the information has been transferred or shared. The trend toward even more stringent compliance regulations will continue, and because our economy is global in nature, we will see even greater emphasis placed on compliance and safeguarding of information.