Drive GDPR sensitive data compliance

The General Data Protection Regulation (GDPR) is considered the world’s strongest set of data protection regulations. It unifies data privacy laws across EU member countries, and signals Europe’s firm stance on data privacy. GDPR was adopted by both the European Parliament and European Council in April 2016 and became enforceable as of May 2018.

The Regulation is far-reaching, covering every aspect of data usage, including collection, storage, retrieval, alteration, and destruction. It also creates personal liability for “controllers” and “processors” and establishes clear rights for consumers to take action if information is being abused.

Following Brexit, the rules no longer apply to data being collected on UK-based consumers. Personal data collected on residents of the UK are now subject to the 2018 Data Protection Act. However, in practice, the same core data protection principles, rights and obligations of GDPR still exist. 

The GDPR applies to processing carried out by organizations operating within the EU. It also applies to organizations outside the EU that collect data from, advertise to, or serve residents of the EU, as well as businesses that process data in the EU. 

For the GDPR to be applicable, businesses do not need to have European customers or be actively targeting European customers. Intention to offer goods and services (such as worldwide shipping, even without explicitly mentioning the EU), necessitates compliance with the GDPR – even without any economic activity.

The GDPR’s jurisdiction does not apply to businesses where the data controller is:

• Part of a government agency or law enforcement organization collecting data for crime prevention, investigation, or prosecution 
• Processing data related to defence, security, and/or public security
• Processing data related to national interest (social, health, budget, national security, etc.)

The GPPR defines personal data as: 

“An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Although a full list is not provided, under the definition above, personal data is any information that relates to an individual who can be directly or indirectly identified. This includes: name, email address, financial data, location information, ethnicity, gender, biometric data, religious beliefs, web cookies, political opinions – and any other personally identifiable data.

The in-depth guidelines for meeting GDPR compliance are organized around the following 7 principles: 

1. Lawfulness, fairness and transparency: Individuals whose data is collected and processed (“data subjects”) must be informed ahead of time. To this end, organizations must make a clear and concise privacy policy available and get express content from consumers.
2. Purpose limitation: Businesses must process data only for the legitimate purposes specified to the data subject when collected.
3. Data minimization: Only as much data as absolutely necessary for the purposes specified should be collected – and all of it must be protected to the best of the businesses ability.
4. Accuracy: Personal data on file must be accurate and up to date.
5. Storage limitation: Personally identifying data may only be stored for as long as necessary to fulfill the specified purpose.
6. Integrity and confidentiality: Processing must be done in such a way as to ensure appropriate security, integrity, and confidentiality (e.g. by using encryption).
7. Accountability: The data controller is responsible for being able to demonstrate GDPR compliance with all of these principles.

Among other rules, the GDPR stipulates that businesses must: 

• Assign a Data Protection Officer (DPO) who will oversee all compliance. The DPO must be reported to the responsible data protection supervisory authority. This individual will be responsible for managing data subject rights in a timely manner. 
• Regulate the responsibility between Controller of data and the Processor. For this business relationship, a Data Processing Agreement (“DPA”) is required. A DPA sets out rules for how the Processor may use personal data to fulfill the purpose of the commercial agreement.
• Steps must also be taken to minimize the risk of a data breach, which is defined as the loss, destruction or unauthorized access to personal data. In the event a data breach occurs, processes must be in place to manage the breach within a 72-hour time frame. This may include alerting both the supervisory authority and individuals impacted. 
• Analyze possible risks and impacts on citizens’ rights for the intended use of personal data. Businesses must make a risk assessment if they will use personal data in a new and innovative way, changing cloud suppliers or creating new services. This process is called a Data Protection Impact Assessment (“DPIA”) and is set out in Article 35 GDPR.

Under the GDPR, “data subjects” have the following privacy rights:

• The right to be informed and know what data is on file
• The right to access to that data
• The right to rectification, or to fix errors in their data
• The right to erasure or deletion
• The right to restrict processing
• The right to data portability
• The right to object to usage of their data
• Rights in relation to automated decision making and profiling

In Article 83 of the GDPR, the EU outlines the infractions and administrative fines that are a part of the GDPR. Each country has its own independent Data Collection Authorities who use the criteria to determine the fine associated with an infraction. 

The GDPR splits the infractions into two tiers, each with its own fine limitations: 

• Tier 1 violations carry a fine of up to 10 million euros ($10.5 million), or 2% of the company’s revenue from the prior year – whichever is greater. 
• Tier 2 violations are more serious and carry increased fines up to 20 million euros ($21 million), or 4% of revenue from the previous year, whichever is greater.