skip to Main Content
General Data Protection Regulation (GDPR)

Recently, have you been receiving an unusual number of “privacy policy updates” from basically every company, group, and association with whom you have ever had any connection?

They are sending the updates to you in accordance with the European Union’s (EU’s) new General Data Protection Regulation (GDPR) that went into effect on May 25, 2018.

But why?  We are in the United States.  Why does a data protection regulation in the EU impact us?

The GDPR applies to: 1) all persons in the EU, 2) all EU citizens – even if they are not physically in the EU, 3) all entities, anywhere in the world, that do business with the EU, the European Economic Area[1], and/or the United Kingdom (UK) after it leaves the EU, 4) any entity that collects data about EU residents, and 5) any entity that processes data on behalf of a data controller – such as a cloud service provider. Thus, if a company, organization or other entity has customers, members, or employees who are EU citizens — regardless of their location — the GDPR applies.[2]

GDPR's Purpose

The purpose of the GDPR is to establish that EU citizens and residents have control over their personal data[1] no matter where that data is collected, transmitted, processed, stored, or exchanged.  It also ensures that each person’s identifying data is not made publicly available without that individual’s explicit consent, and simplifies the regulatory environment concerning data for international business by unifying the regulation within the EU. 

[1] Personal data is defined by the EU as any information relating to an individual, including his or her private, professional or public life.  It can be anything from a name, address, photo, email, birth date, bank details, social media posts, medical information, or IP address, etc.  Press release on the GDPR.

GDPR History

The GDPR was officially adopted by the European Parliament on April 14, 2016.  Entities were given a two-year transition period to prepare before the Regulation became enforceable on May 25, 2018.  It superseded the EU’s 1995 Data Protection Directive 95/46/EC, that had already set a high standard for individual privacy.  In August 2018, the GDPR will be valid in the EEA countries, and while the UK is scheduled to leave the EU in 2019, the UK granted a “royal assent” to the Data Protection Act 2018 on May 23, 2018, that mirrors the GDPR.

In its requirements, the GDPR refers to individuals as “data subjects,” entities that collect data as “data controllers,” and entities that process data as “data processors.”  Additionally, the GDPR mandates that all public authorities and businesses who regularly process personal data employ a “data protection officer (DPO),” responsible for managing compliance with the GDPR.   Such entities must provide details to contact their designated Data Protection Officer to all data subjects.

Important Details of GDPR

  1. Informed. Under the GDPR, when personal data is collected, the data subjects must be fully informed about: 1) the extent of the data collected about them, 2) the legal basis for collecting such data, 3) how long the data is to be retained, 4) if the data is being transferred to a third-party or outside the EU, 5) any data collected based solely on an algorithm, and 6) any data breach within 72 hours after the breach.
  2. Rights. The data subjects must also be informed about their privacy rights, including their right to: 1) provide explicit consent (“opt-in”) to have their personal data collected, 2) revoke that consent at any time, 3) view their personal data and access an overview of how it is being processed, 4) obtain a copy of the stored data, 5) correct or erase any errored data, e) contest any data collected based on an algorithm, and 6) file complaints with a Data Protection Officer or other authority.
  3. Requirement for Consent. The requirement for consent in the GDPR is particularly important in two areas of normal business.  First, Article 7(4) states that an entity providing a service to an individual may not require consent to data collection or processing from the individual as a part of using that service.  Second, for entities who record telephone calls as a matter of practice, the traditional disclaimer is not considered sufficient to gain assumed consent to record calls. Additionally, when the recording has started, if the caller withdraws his/her consent, then the agent receiving the call must be able to stop the recording and ensure that the recording is not retained.
  4. Protection by Design and Default. Article 25 of the GDPR requires that entities must protect each individual’s personal data both “by design” and “by default.”  Data protection “by design,” means that data about each individual must be hidden using: a)  pseudonymization, or b) full anonymization. Data protection “by default” means using the highest possible privacy settings “by default.”  The purpose of both is to allow the collection, processing and transfer of data into bulk data, as for example, the number of cancers reported in a particular area, without revealing the information about any specific individual.

a. “Pseudonymization” is a process that changes the data collected so that specific information about an individual is rendered unreadable unless an extra step is applied to reveal that information. One example of “pseudonymization” is encryption, where the data is replaced with a code and a decryption key is required to reverse the process.  The GDPR mandates that the decryption key be kept separately from the encrypted data and recommends that the encryption and decryption operations be carried out locally, rather than by a remote service, because both the keys and data must remain with the data owner if any privacy is to be achieved.[1]

b. A second example of pseudonymization is “tokenization,” where the data about specific individuals is substituted with placeholders known as “tokens.” The tokens maintain the length of each data field so that legacy systems, sensitive to field lengths, can still process the bulk data.  The tokens must be converted if the original data is to be read.

c. Data anonymization. In contrast, data anonymization is a process of removing the data about specific individuals, but in a manner that the process cannot be reversed to reveal the original individual information.  For example, if the data is encrypted, the decryption key is discarded with data anonymization.

  • 5.  Sanctions. Entities who do not comply with these and other requirements of the GDPR can be fined up to €20 million or 4% of the entity’s preceding year’s revenue (not profit) – whichever is greater.

Impact of GDPR

  1. Thus, to comply with the GDPR, most US companies with international customers, members, and/or employees have enhanced their privacy policies and sent the required notices announcing those updates.  One result from the excessive number of notifications, however, has been that they have created a bit of fatigue among the recipients.  Also, some “phishing scams” and “spam” have emerged — using false versions of the notifications.
  2. Non-Compliance. Of those websites that have not complied, some have blocked EU users from accessing their sites since May 25, 2018, while others redirected EU users to stripped-down versions of their services.
  3. Blockchain. An additional concern regarding the implementation of the GDPR is with “blockchain” systems.  Most blockchain transactions have a fixed record that contradicts the data protection objectives of the GDPR.  This issue is under study.
  4. Lawsuit. Since, the GDPR gave special compliance attention to the larger international technology firms that routinely collect data on individuals, such as Facebook (and its subsidiaries “WhatsApp” and “Instagram,”) and Google (with its subsidiary Android), both companies were immediately sued by the non-profit “NOYB (none of your business) European Center for Digital Rights.”  NOYB asserted that both companies violated Article 7(4) by attempting to completely block use of their services if users declined to accept all data processing consents, in a bundled grant that also included consents deemed unnecessary to use the service.  The matter is in court.

Conclusion

For Americans — concerned about dangers to our personal data following numerous breaches at companies like Yahoo, Equifax, Target, and JP Morgan Chase, and the collection of personal data of over 50 million Americans by Cambridge Analytica – the GDPR may be excellent news.  However, while many US companies must comply, US citizens are not protected.  Perhaps the EU’s GDPR will “lead the way” for changes in our own US laws.

If your company hasn’t started addressing the requirements in the GDPR, you are behind and need to catch up quickly.

If you are an individual receiving Privacy Policies — read and understand them.  If they ask you to “opt in” or “opt out” – do so!  That is critical to the privacy and security of your personal data.

[1] The EEA includes the EU countries plus Iceland, Liechtenstein and Norway.

[2] The GDPR does not apply to the processing of data by a person for a “purely personal or household activity with no connection to a professional or commercial activity.” Recital 18.

[3] Personal data is defined by the EU as any information relating to an individual, including his or her private, professional or public life.  It can be anything from a name, address, photo, email, birth date, bank details, social media posts, medical information, or IP address, etc.  Press release on the GDPR.

[4] “Privacy and Data Protection by Design,” the European Union Agency for Network and Information Security (ENISA), Europa website.

Contact Sharon to speak to your group about:

General Data Protection Regulation (GDPR)

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top