GDPR here and GDPR there, but what is it? Well, in short, it’s the General Data Protection Regulation a new European regulation on personal data protection which goes into effect on 25 May 2018. In this FAQ I show what are the important points and what do you need to know about the GDPR.
What does it do?
It regulates how personal data can be processed by private businesses, state administration and other organisations. “Processing” includes anything related to the collection, aggregation, mining or sharing of data. The GDPR also regulates that personal data should be stored and processed securely.
Who is it for?
The GDPR is designed to protect the personal data of everyone who lives in the European Union. The regulation aims to create one standard for all European countries simplifying doing business across the continent. Some companies expand this law.
Who is responsible for enforcing the rules?
The European Union and its Member States are responsible for enforcing the GDPR. Each country is required to set up an independent public Data Protection Authority (DPA) to make sure that the GDPR is being applied, to handle complaints lodged by individuals, and to impose fines when necessary, approve codes of conduct, and raise awareness (e.g. by running educational campaigns). Direct complaints by individuals about companies or organisations will be enforced by the Data Protection Authorities and national courts, in consultation with the European Court of Justice where necessary.
Who has a comply?
The regulation will be applied directly and equally in all 28 European Union countries, to all private businesses, state administration and other organisations that hold and process personal data. These entities have had over two years – since 27 April 2016 – to prepare for compliance.
But the regulation also applies to companies and organisations operating outside the EU. If a company or organisation processes the personal data of individuals living within the EU, it has to comply with the GDPR – no matter where that company or organisation is based.
Where do I find more information about GDPR?
The website of your national Data Protection Authority should have more detailed information, as well as guidelines and practical tips.
The British Information Commissioner’s Office provides accessible and comprehensive information in English
Will there be additions or changes to the GDPR in the near future?
It is unlikely for new legislation to be introduced in the near future, however we can expect the GDPR to be clarified in the next few years through guidelines developed by DPAs, litigation, and precedents.
The EU is also currently working on a new regulation called ePrivacy, which will complement the GDPR when it comes to data processed online.
Who does not have to comply?
Certain state bodies, including intelligence agencies, the police and the courts, will be governed by separate national rules.
Individuals are exempt if they are collecting data for ‘personal or domestic use’ – for example, if they store personal contact details on their phone.
Churches can maintain their own regulations for the protection of personal data and their own bodies supervising this area – but their rules must still be in line with the GDPR.
What are the changes and what’s new?
Though the GDPR is more of an evolution than a revolution of existing EU rules, it nonetheless includes some substantial changes to what came before. Among other things, the new regulation:
Grants individuals some new rights e.g. the right to move your own data from one company or service to another, and the right to request a copy of the data a company or organisation holds on you and requires companies and organisations to be more transparent (e.g. they need to inform you where the data they are processing comes from, and for what purposes it is being processed; they need to inform you if you are being profiled).
Makes it easier to more effectively enforce the law (e.g. through fining companies or organisation, or allowing individuals to go directly to court in the case of a violation).
Simplifies the rules by applying the exact same law to all EU countries, but offers more flexibility in how businesses actually comply with the law.
What is personal data?
Personal data is at the heart of the GDPR – the regulation does not apply to all the data companies have.
Personal data is any information that can be linked to an identifiable individual. Since the identification of an individual can often be done by putting different pieces of information together (even without a name attached), what counts as personal data can be quite broad. A shoe size, a hobby or an image, for example, could all be classified as personal data if it’s possible to identify which person these bits of information apply to.
Note too that it doesn’t necessarily have to be the data controllers themselves – the companies or organisations processing the data – who are capable of identification.
How should we respond in case of a data breach?
Under the GDPR, you need to report any breach to the Data Protection Authority generally within 72 hours of becoming aware of it. You also have to inform the individuals whose data you have processed, when it is likely that the breach could have a negative impact on them – for example, if financial data is leaked, or if unauthorised persons might have access to their medical information.
How can we ensure the data we process is properly secured?
Your organisational action plan to secure the data you have will depend on a wide range of factors: for example the types of data you store, how sensitive it is, how much you have, how complex your digital infrastructure is, and whether you have in-house digital security knowledge or choose to outsource. At a minimum, however, you should take the following steps:
List what personal data you hold and map out where you store this data.
Do a risk assessment, pinpointing the most likely sources of unauthorised access/leaks.
Implement a data protection action plan that builds on your risk assessment, which includes: data minimisation (collect, process and store only the data you absolutely need); access control (limit who has access to personal data); storage security (where do you store personal and/or sensitive data? Is it stored separately from non-personal/non-sensitive data? Is it stored encrypted?); staff digital hygiene; and a data retention, archiving and deletion policy.
Test the security of systems that store personal data (servers, email, archives etc.).
Write down all the actions you have taken to protect the personal data you have.
Set up and test a data breach action plan, which should include roles and responsibilities, reporting to the DPA, and so on.
Put together a plan for periodically revisiting these steps.
What risk do we run if we don’t implement the GDPR correctly?
You run the risk of being fined by a national Data Protection Authority; you could also be sued directly by an individual if you have violated that person’s rights. However, perhaps the greatest risk lies in losing your customers’ trust. Surveys show that most people want to be sure that their data is not abused, and are increasingly concerned about the protection of their privacy.
Is there a minimum approach?
The GDPR is primarily concerned with a risk assessment that every company or organisation does for itself, not about “one size fits all” solutions. A starting point should be understanding the importance of people’s right to control information about themselves, and your responsibility for making sure that when people use your services, this right is upheld. Guidelines issued by the Article 29 Working Party offer examples of good and bad practices. You should find useful guidelines on the website of your national Data Protection Authority as well.
Some bots scan websites/apps in order to find possible problems, you can avoid such detection to exclude several pages from the robots.txt.
Can I get a fine? And how will fines be applied?
If you do not comply with the GDPR, the Data Protection Authority can give you a fine. This could be the result of either a complaint lodged by an individual or a control initiated by the DPA itself.
The Data Protection Authority has to make sure that the fine in each individual case is effective, proportionate, and dissuasive. The DPA will take into consideration, among other things, the nature and gravity of the infringement; the level of negligence involved; whether you have taken any actions to mitigate the damage; and the budget of your company or organisation.
Fines can go up to a maximum of 4% of an a organisation’s annual turnoveror up to 20 million EUR – whichever figure is higher.
IS GDPR enough?
As a company or organisation, it’s up to you to evaluate this, looking specifically at the nature of your business model and the privacy risks associated with it. A good place to start is the website of your national Data Protection Authority, which is likely to have useful tips and guidelines.
How do I know if I’m ready?
At a minimum, you should be able to answer YES to the following questions:
Have we mapped out what personal data we process, and for what purposes?
Can we justify the processing of each category of data (i.e. name the legal basis that underpins our right to do so)?
Do we provide information to our users/clients about how we process personal data?
Have we made sure the data is stored securely and can not be accessed by unauthorised persons?
Have we put procedures in place when it comes to deleting data we no longer need?
Do we know what to do when an individual decides to use his or her rights under the GDPR, such as the right to get a copy of their data? [should link to the USER page]
Have we mapped out the level and source of any risks that relate to the ways in which we process data? Have we taken steps to mitigate these risks?
Do we have a response procedure in place in the event of an unauthorised person gaining access to personal data?
Have we made sure everyone in the company/organisation knows the correct procedures for processing and securing personal data?
Do we have a plan in place for periodically re-evaluating our data processing practices?
Do I need to register me somewhere?
No. In contrast with the EU Data Protection Directive of 1995, the GDPR does not require you to register your databases with the Data Protection Authority (DPA). However, if you appoint a data protection officer in your company, you should send the DPA his or her contact details.
Under the GDPR, you need to appoint a data protection officer if:
you are a public body (e.g. ministry, school, public hospital);
your business involves regular and systemic monitoring of people’s data on a large scale (e.g. big tech companies, or companies that do credit scoring or video surveillance); or
you processes sensitive data on a large scale (e.g. hospitals).
Does it mean I can ‘delete’ myself?
Not quite. You can’t delete all your personal data whenever you want to. But you can ask to have your data deleted in a few specific situations – for example, if a company or organisation no longer needs it in order to provide the service you are using, or if you decide to withdraw your consent. However, even in such cases, companies or organisations may still have viable reasons to keep your data, for example for tax purposes or to protect themselves from possible future claims.
Do I need to do anything?
No. It’s up to companies and organisations to make sure that your personal data is protected. There are, however, still decisions you’ll need to make.
For new services, you want to use: If the company is asking you to give them data, do you really want to agree? (If the service only processes necessary data, they are required to inform you but do not need to ask for special consent to do so. They do, however, need to ask for explicit consent when they want data that’s not necessary).
For the services you’re using at the moment: Are you still comfortable with the way the company or organisation collects, analyses and shares your personal data? If you no longer agree, you can simply say “no”.
Finally: if you think your rights are not being upheld, you can decide to report it to your DPA, or even challenge the company in court.
How will these rights be enforced?
Each country will have an independent public Data Protection Authority (DPA) to ensure that companies are in compliance with the regulation. You have the right to lodge a complaint with your DPA or to go to court if you feel that your rights have been violated.
What are the rights under the GDPR?
1. You have the right to information.
- Companies and organisations are now required to communicate to you, in plain and accessible language, what personal data they process and how they use it. (“Processing” includes anything related to the collection, aggregation, mining or sharing of data.)
- If a company or organisation builds a profile on you (e.g. from data matched up from different sources), you have the right to know what’s in this profile.
2. You have the right to secure handling.
The GDPR regulates that personal data should be stored and processed securely.
3. You have the right to access the personal data a company or organisation holds on you, at any time.
- If the data is inaccurate, you can change or complete it.
- If the data is no longer necessary, you can ask the company or organisation to delete it.
- If you initially gave the company or organisation more data than was necessary for receiving the service (e.g. for marketing purposes), but no longer want them to have this data, you can ask them to delete it.
4. You have the right to use a service without giving away additional data.
If a company or organisation wants to process personal data that is not strictly necessary for the provision of a particular service e.g. a transport app that wants access to your phone’s contact list, they need to get your explicit consent to process that data. Note that even if a company or organisation believes that certain data is in their interest to process, this does not always mean that it is necessary. If you have already consented to the processing of additional data, you can always withdraw this consent.
5. With automated decisions, you have the right to an explanation and human intervention.
- If a decision has been made about you through automatic mechanisms, you have the right to know how the decision was made i.e. you are entitled to an explanation of the logic behind the mechanism used.
- When it comes to automated decision-making, you have a right to human intervention, and the right to contest any decision made.
Can I talk to companies about their use of my data?
Absolutely! The GDPR requires that companies and organisations respond to questions about personal data. This includes whether or not they process your personal data in the first place, and if so for what purpose, how long it will be stored, and with whom it is shared. And if you ever change your mind about what you have consented to or accepted, companies and organisations are also required not only to make it easy for you to communicate this choice but also to act upon it.
What can I do if a company or organisation is using my personal data against my will?
It may be useful to contact the company or organisation itself first. Regardless of whether you do that, however, you can also file a complaint with your national Data Protection Authority – even if the company or organisation does not have an office in your country. And if you’re not satisfied with the DPA’s decision, you can take the company or organisation to court.
You can also skip the DPA and go directly to court if you feel your rights have been violated.
If as a result of a violation you have suffered material or non-material damage, you can seek financial compensation.
Third parties, such as consumer protection agencies, digital rights foundations or other interest groups, could also litigate on behalf of you and others.
Why are some companies or organisation critical of the GDPR?
Many companies and organisation have become used to treating your data as a ‘free resource’ – something they could take without asking permission and exploit for their own financial gain; something they could collect without limit, without protecting it. The GDPR is a powerful tool to force companies to re-evaluate the risks involved – not just to the individuals whose data they process, but also to themselves, in terms of fines and loss of customer trust – and to treat your data with the common-sense care and respect that should really have been in place from the beginning.
Does the GDPR apply to the data my employer has on me?
Yes. Your employer, like any other organisation that processes data, has to conform to the GDPR. However, each EU member state can adopt more specific rules when it comes to the employment relationship. If you’re interested in this, you should look for more information on your national Data Protection Authority’s website.
Does the GDPR apply to US companies or organisations?
Yes. As soon as a company or organisation monitors or tracks the behaviour of internet users on EU territory, the regulation will kick in – no matter where the company or organisation is based.
How do I implement the GDPR?
Taking into account the wide variety of factors that come into play when a company or organisation processes personal data, the GDPR is not a one-size-fits-all checklist of implementation measures.
In general terms, the GDPR offers individuals (or “data subjects”) certain rights, and you need to make sure that you are able to uphold these rights. At a basic level, you will need to get to know the ins and outs of what data you process and how you process it, and assess what risks this poses to the data subjects. Generally speaking, the higher the risk, the more you will have to do to protect the data; if you store sensitive personal data (related to health, sexuality etc.) or payment details, you have a greater responsibility to protect it than if you have data on people’s shoe sizes.
To make sure your company or organisation is in compliance with the GDPR, you should start by assessing your current data practices and procedures (map all your data flows), then evaluate these and adapt them as needed to fulfil the requirements of the GDPR. Document your reasonings and actions; then make sure to monitor and periodically review your practices.
Does Facebook apply GDPR?
Yes, as part of its GDPR preparation, Facebook will inform its more than two billion users over the next few weeks about how it handles their data collected from its partners for targeted ads as well as their political, religious, and relationship information shared on their profile. Additionally, users will be informed how Facebook uses its facial recognition system and will receive updates to the site’s terms of service and data policy announced last month.
Facebook joins other tech companies in exercising GDPR globally, including Microsoft or Apple – which launched a new Data and Privacy website to comply with the new GDPR policies – and about Microsoft, they recently vowed to implement the GDPR policies not only in Europe but also globally.