If your organization collects EU residents’ personal data and you aren’t compliant with the EU GDPR (General Data Protection Regulation), you’d better get started.
The GDPR, which came into effect on 25 May 2018, introduced strict rules on the way organizations process and store EU residents’ personal data.
Despite being a European regulation, organizations in North America aren’t exempt, because the law’s scope is determined by the data subject, not the location of the organization.
In other words, the rules apply to any organization that deals with EU residents regardless of where their business is based.
Organizations should therefore take steps to determine whether the GDPR is applicable, and if so, revise their data protection processes accordingly.
What exactly is personal data?
Let’s take a look at what you need to know and how to get started.
Before we can get into the GDPR’s requirements, it’s important to understand exactly what they refer to. The Regulation is only concerned with personal data – i.e. information that relates to an identified or identifiable natural person.
The rules don’t apply to company data, intellectual property, test data, etc. Your only concern is with information about real people.
The most obvious examples of personal data are things such as names, Social Security numbers, and email addresses.
However, information is also considered personal data if it can be used alongside other information to identify them. In those circumstances, details such as someone’s date of birth, phone number or IP address may be considered personal data.
What are the GDPR’s requirements
The GDPR contains a complex set of requirements that can be broadly summarised by looking at its six data protection principles:
- Lawfulness, fairness, and transparency
Organizations can only process personal data if they have a lawful basis to do so. They must also make it clear to data subjects what that basis is.
So what are those bases? They include needing the information to meet contractual obligations or legal obligations, to protect the vital interests of a data subject or someone else, and to complete tasks in the public interest.
Organizations can also process personal data if they have a legitimate interest to do so (i.e. any commercial or societal reason that isn’t outweighed by the negative effects that the data processing would cause), or if they have the data subject’s consent.
Consent had previously been a widely popular basis for processing personal data, but the GDPR has toughened the rules around obtaining and maintaining it. As such, it should only be sought when no other lawful basis is suitable.
- Purpose limitation
Organizations must be clear with data subjects about how their data is being used, and ensure that the processing activities remain strictly within those guidelines.
You can’t collect data for one purpose and then re-use it for other activities, nor can you hold on to the data once the lawful basis no longer applies.
- Data minimisation
Organizations must ensure that the data they collect is sufficient to properly fulfil the stated purpose, that it has a rational link to that purpose, and that it is limited to what is necessary.
Organizations must take all reasonable steps to ensure that personal data is correct and up to date.
- Storage limitation
Organizations must remove personal data from their records when there is no longer a reason to keep hold of it.
As part of this process, organizations must document an estimated data retention period when they initially collect the data. This gives them and the data subject a timeframe for how long the data will be stored.
This estimate can be revised later, but organization must document and justify this change.
- Integrity and confidentiality
Organizations must implement “appropriate technical and organizational measures” to protect the personal data it holds.
This is a complex task that’s made harder by the fact that the Regulation outlines only a few examples of appropriate measures.
Organizations must decide for themselves what risks they face – which they can do with a DPIA (data protection impact assessment) – and justify their reasons for implementing relevant controls.
Those controls must be adopted in line with the GDPR’s requirements for data protection by design and by default. This means ensuring that your technical and organizational measures are at the core of any data processing practices rather than being fitted in around an existing set-up.
What are the consequences of non-compliance?
The GDPR gives supervisory authorities the power to levy fines of up to €20 million (about $22 million) of 4% of the organization’s annual global turnover – whichever is higher.
Fines of this magnitude will be reserved for the worst offenders, but even comparatively modest penalties could lead to long-term financial and reputational damage.
How to meet your compliance requirements
There are two things organizations need to know about GDPR compliance. The first is that there is no one-size-fits-all approach; every business has its own challenges, and what’s right for you might not be right for others.
There are some general truths that can help, though. We’ve outlined many of those in this blog, but it’s also worth pointing out that specific industries will face similar issues.
You learn more about some of those in our blogs focused on the GDPR in relation to:
The second thing you need to know is that supervisory authorities will be lenient towards organizations that can demonstrate that they’re taking steps towards compliance.
That means if you’re not already implemented the GDPR’s requirements, you don’t need to panic and rush through the process. It’s better to have a realistic schedule backed by demonstrable results than a series of hurriedly put together practices.
If you want to know where you should begin, we recommending watching our webinar: Do I need to comply with the GDPR?: What North American organizations need to know about data privacy.
This presentation explains the steps you should take to achieve compliance, and provides specific advice for North American organizations, including:
- How the GDPR compares to U.S. and Canadian data protection laws, and how to meet both sets of requirements as effectively as possible
- How the EU-US Privacy Shield fits into the equation
- How North American organizations can transfer personal information in and out of the EU
- Whether you need an EU representative