The EU General Data Protection Regulation (“GDPR”) is the most significant change to data protection law in a generation.
It represents the pinnacle of changing global norms around privacy and the use of personal data, as countries around the world have introduced their own frameworks designed to keep pace with the GDPR.
A second piece of EU legislation, called the ePrivacy Directive, also provides specific provisions dealing with communications and communications data, such as the use of (i) cookies or similar technologies (e.g. SDK, IDFA, fingerprinting) and (ii) electronic direct marketing (e.g. the sending of email or SMS for direct marketing purposes).
With a broader territorial scope, a suite of heightened requirements and new authority for regulators to issue unprecedented fines, organisations that process the personal data of individuals in the EU will face considerable risks. But as other countries start to follow suit, the GDPR also offers organisations new promise: complying with the GDPR can serve as the springboard for the wider world.
The highlights of GDPR include (among others):
- Expansive definition of personal data: Personal data is defined widely to include any information that could reasonably be used to identify an individual. It’s not just names and contact details, but also online identifiers, photos and behavioural traits and any other information that can be used to single someone out or take decisions affecting him or her.
- Extended territorial scope: The GDPR applies to organisations in the EU as well as those outside the EU that process personal data in the context of offering goods or services to EU residents or monitoring their behaviour. This means that virtually any organisation that intentionally does business in the EU could be subject to the GDPR. It also means that companies around the world face a level playing field if they are competing for customers in the EU.
- Expansive enforcement powers: Organisations could face sanctions such as fines from regulators up to the higher of 4% of the organisation’s worldwide annual revenue or €20 million. For start-ups, an even more significant risk is that a regulator could order an organisation to stop using personal data altogether – which could mean deleting all customer lists and effectively ceasing to operate until the organisation comes into compliance. The GDPR also permits individuals to bring actions for compensation and introduces group actions to the EU for data protection violations.
- Heightened individual rights: Individuals are accorded a number of rights, including the right to request that organisations delete data held about them, the right to opt-out of any processing for marketing purposes (including the creation of consumer profiles), and the right to “port” data from one provider to a competitor. Certain pre-existing rights created under previous EU privacy legislation, like the right to obtain a copy of personal data, have been strengthened under GDPR.
- Changes to the definition of consent: Consent is much more challenging. In order to obtain an individual’s consent to use his/her data, an organisation must ensure that the consent is granular, can easily be withdrawn and is not “take it or leave it”. Where possible, it should be avoided, particularly in situations where it would be difficult to ensure the consent is freely-given, such as in employer-employee relationships.
- New accountability requirements: Under the GDPR, organisations must implement data protection as a core element of the design of any product or service. This means adopting technical tools, such as encryption, where feasible, as well as broader organisational measures, such as appointing a data protection officer (where certain thresholds are met), conducting privacy risk assessments for “high risk” activities and keeping detailed records of processing activities that can be made available to regulators (unless exemptions apply). Organisations also need to consider how data protection will be addressed in their contracts with service providers and business partners.
- Data breach notification: For the first time, personal data breach notification will apply to most sectors across the EU. Notably, the GDPR adopts a low threshold for what constitutes a breach and personal data breaches must be reported to competent regulators, without undue delay and where feasible within 72 hours. This regime applies in addition to data security and breach notification obligations required by the EU NIS/Cybersecurity Directive and national implementing legislation.
- Harmonisation across the EU: In taking the form of a regulation, rather than a directive, the GDPR eliminates many of the country-specific requirements that exist under the current regime. Some local deviations, however, will continue to persist in certain areas such as life sciences, activities related to journalism/academia, and employment.
Addressing the risks posed by the GDPR requires a case-by-case assessment of the friction points for each organisation. There is no one-size-fits-all solution. Here, we offer you the building blocks for your compliance programme and an introduction to the key concepts. To address the significant risks posed by GDPR enforcement, we recommend that organisations understand how they collect, use and store personal data. Only then can an organisation implement tailored solutions.