- What is GDPR?
The General Data Protection Regulation (GDPR) is a European Union (EU) regulation, which replaces the Data Protection Directive 95/46/EC. The GDPR is intended to harmonize the patchwork of data privacy laws across its member states. The objective of GDPR is to protect all EU residents from privacy and data breaches in an increasingly data-driven world. The GDPR seeks to accomplish its objective by providing certain rights and freedoms to EU residents in relation to the processing of their personal data.
- Why was GDPR adopted?
The GDPR was adopted by the EU Parliament to:
- Create consistency within all the member states of the EU as to the rules regarding data protection, implementation of the law, and how the rules are enforced
- Modernize the principles laid out in the 1995 Data Protection Directive (Directive 95/46/EC), which was written before the advent of social media, “smart” mobile devices that now can access things like cameras and geolocation information, and the ubiquity of online services and communications
- Reinforce the rights of individuals to control and protect their personal data
- Strengthen the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards.
- When will GDPR take effect?
The GDPR is currently scheduled to be effective on May 25, 2018.
- Who does GDPR apply to?
The GDPR applies to:
- Organizations located within the EU;
- Organizations located outside of the EU if they offer goods or services to (even for free), or monitor the behaviour of, EU residents;
- Organizations processing and holding personal data of EU residents, regardless of the organization’s location
- How does GDPR affect my business?
Here are a few things to considering regarding how GDPR will affect your business:
- Data processor or data controller: A controller is an organization that determines the purposes, conditions, and means of the processing of personal data. A processor is an organization that processes personal data on behalf of the controller. For example, if you’re using WhiteSES to send email, you will be the controller and WhiteSES will be the processor.
- Defining “personal data” under GDPR: GDPR defines personal data broadly as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
- Under this definition, nearly ALL information about a EU resident is personal data–including, for example, names, ages, Social Security Numbers, email addresses, online identifiers and location data, IP addresses and mobile device IDs, cookies, and also more sensitive personal data such as genetic data and biometric data, including fingerprints, facial recognition and retinal scans.
- Do I have to retain the email I send to my customers under GDPR?
- No, there is no specific data retention requirement under GDPR. In fact, GDPR is more or less intentionally set up to promote the active non-retention of data.
- For example, Comment (64) to GDPR states in part that, “A controller should not retain personal data for the sole purpose of being able to react to potential requests”.
- However, if you have a duty to retain based on some other legal obligation, Comment (65) to GDPR, which deals with the right to be forgotten states that a controller may retain data “where it is necessary, for exercising the right of freedom of expression and information, for compliance with a legal obligation, for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defense of legal claims.”
- How will GDPR generally affect sending email?
- Provided the controller has the necessary consent, the actual sending of the email is not really impacted by GDPR. However, GDPR can affect the returned message event data to the extent that such data indirectly or directly identifies an EU data subject. For example, if you are passing metadata, such as a unique identifier, in the transmission then such metadata would appear in the returned message event data.
- Broadly speaking, GDPR requires you to look at all of your data acquisition, tracking and data use systems and then determine whether they adequately document the consent requirements, permit compliance with transparency requirements, and can be purged when requested by a data subject. Any legacy system that was not designed with these systemic issues in mind may be a real task to re-develop.
- In addition, GDPR will require you to look at each and every third party service you are using for tracking, monitoring, and developing your data analytics – and verify whether they are GDPR compliant. After all, it is the whole point of these systems to track users for marketing, service augmentation and customization and experience – and hence by definition, this is data that identifies a data subject. This data is personal data in the EU (whereas it is not personal data with any level of real protection in the US). It is the lowest common denominator third-party services that could cause a problem – if even one is non-compliant, the EU regulators will likely view your entire system as non-compliant.
- What can a data subject ask me to do under GDPR that I must do?
As discussed briefly above, a data subject can make essentially two requests – an accounting of all uses of the data subject’s personal data, and that the data subject’s personal data be removed from the controller’s or processor’s systems. This is a very general answer, and these rights are not absolute, so it is beyond the scope of this FAQ to explain in detail what information a data subject must have access to and when they can ask that it be deleted.
- What are some of the key elements and changes to the law under GDPR?
- Obtaining consent: Explicit consent by a “clear affirmative act” will be required, as opposed to a soft opt-in. Formerly used methods such as pre-ticked boxes, silence, or inactivity will not constitute consent. Consent records must be maintained so they can be presented if you are challenged. Therefore, systems design changes may be necessary to provide evidence that a person consented to a specific use of their personal data.
- Extra-territorial scope: The rules, at least for now, state they apply to all persons or companies who handle personal data of EU residents, regardless of whether or not they reside in the EU.
- Increased penalties: Fines can be significant. Infringement of certain provisions can result in fines of up to 20,000,000 EUR, or up to 4% of the total worldwide annual turnover of the provider’s preceding financial year, whichever is higher.
- Right to be forgotten: The right to be forgotten, previously a right arising from a court decision, is now codified in the GDPR. A data subject has the right to be forgotten, meaning that his/her personal data must be erased upon request, and no longer processed where the personal data is no longer necessary to the purposes for which it was collected. This again may require significant systems changes to be able to “scrub” the data from all locations, apparently including backup locations and other non-production storage. However, it should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.
- Right to access: A data subject has the right to obtain from the data controller confirmation as to whether or not personal data concerning them are being processed, where and for what purpose. The controller is required to provide a copy of the personal data, free of charge, in an electronic format.
- Data portability: A data subject has the right to receive the personal data concerning them, which they have previously provided in a “commonly used and machine-readable format” and have the right to transmit that data to another controller.
- Privacy by design: The GDPR calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing. As a result, developers of applications, services or products that will process personal data should take the new regulations into account during the design and development process to ensure that the final product will protect the personal data of its users. Privacy has to be by design, not an afterthought bolt on.
- Breach notification: Breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
- WhiteSES’s GDPR compliance
- As a commitment to our customers, WhiteSES has made a commitment to be fully GDPR compliant before GDPR takes into effect.
- WhiteSES self-certifies to and complies with the EU-US and Swiss-US Privacy Shield Frameworks, as administered by the US Department of Commerce. As such, WhiteSES shall be deemed to provide adequate privacy protection for the transfer of personal data originating from the EU and/or Switzerland (within the meaning of EU data protection laws) by virtue of such self-certification. For the purposes of this Agreement, the terms “personal data”, “processing” and “data subject” have the same meanings as those given to them in EU General Data Protection Regulation 2016/679 (“GDPR“). If Your use of the Services requires WhiteSES to process personal data falling within the scope of GDPR, WhiteSES’s Data Processing Addendum is available for e-signature here. Once executed, such Data Processing Addendum shall hereby be incorporated into this Agreement by reference.
- Additional Resources
- The GDPR, in its entirety: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
- Overview of the GDPR: http://www.eugdpr.org/
- The Information Commissioner’s Office (ICO) guide entitled Preparing for the General Data Protection Regulation (GDPR) – 12 Steps to Take Now: https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
- European Commission Fact Sheet: http://europa.eu/rapid/press-release_MEMO-15-6385_en.htm
- Privacy Shield: https://www.privacyshield.gov