The General Data Protection Regulation (GDPR) is a crucial European data protection reform that will come into force on 25 May 2018.
Until now, the 1995 directive (95/46/EC) has been applied, but a revision of the law had become necessary due to evolutions in technology. Back in 1995, the Internet was still in its infancy, but today data protection needs to include big data, robotics and artificial intelligence.
The aim of the GDPR is to regulate uniform data processing on an EU level. This poses two questions for businesses, namely: what are the new laws, and what consequences will they have for webmasters? Changes must be made by 25 May, in particular in terms of e-commerce as well as regarding personal data for both public and private companies. If you are not yet up to date with the new regulations, there is no time to lose!
Here is a summary of the new legal situation, with important points to bear in mind.
The GDPR is first and foremost... a regulation
This means that unlike a European directive, it will come into effect immediately from its official date, and apply to all EU member states, overriding any and all pre-existing national laws. All public and private companies which work with data of a personal nature must immediately implement the new provisions imposed by the EU.
Apparently however, the urgency of the situation has not yet been fully comprehended by all the companies concerned! According to a recent study, one out of every five firms in France will not be in compliance with the regulation come 25 May! And this despite the heavy sanctions that will be levied in the event of a failure to adhere.
Globally speaking, what may seem to be rather onerous obligations are designed to document and prove what data a company gathers, what they are using it for and how they process it. The GDPR requires documentation above all else.
This is where a company’s binding corporate rules (BCR) – which make up the code of conduct defining its personal data transfer policy – come under scrutiny.
The GDPR protects data of a personal nature
The use of cloud computing is already subject to risks, since it often implies the handling of large quantities of personal data. Companies which store health-related data are at even further risk, since such data is considered to be particularly sensitive.
Future evolutions in technology are also taken into account by the regulation.
For example, the GDPR anticipates that gathering biometric data from employees could become obligatory for certain tasks involving smart machines. Using this data to other ends such as to calculate or monitor a person’s effectiveness in the workplace might prove very tempting.
The new European regulation therefore also needs to take on board developments such as these and also potential misuse.
The following people are affected by the GDPR
The GDPR will ensure increased protection for consumers, Internet and IT systems users, and customers and suppliers on the one hand, and employees on the other.
Furthermore, in the future, public authorities and companies whose main activity is connected to large-scale data processing will have to appoint a data protection officer who will be responsible for implementing this regulation.
Should you need any help, the information can be found on the CNIL (French data protection authority) website.
The main principles behind the GDPR:
Forbidden in principle except where approval has been obtained: this means that all processing of data of a personal and “sensitive” nature is forbidden, unless express approval has been obtained from the people affected and by the relevant authority (which in France is the CNIL). Data deemed to be “sensitive” includes health, opinions, ethnic origins etc.
In other words, the GDPR implies that the individual should have control of his or her data, and therefore that every person should have the right to decide and control the usage of data of a personal nature which relates to them.
Purpose: the gathering and processing of data should only be done for specific purposes. Accordingly, before gathering it, the aims should be specified and the future usage of the data should be documented. For example, data gathered to draw up a contract is stored for that purpose, and may not be used for advertising purposes. Changes to the specified purposes will only be permitted under certain circumstances. The consent of the employee or consumer shall only apply to the specified objectives.
Minimising data gathering: the principle of limiting data requires companies to request the least possible amount of data, i.e. it must be limited to what is required to achieve the particular objective. Gathering data that is not relevant to the stated purpose is prohibited, and therefore so is the gathering of “blind data” for storage.
Furthermore, personal data can only be stored for the length of time required by the stated purpose. If the processing authorisation expires (for example, if consent is revoked), then the data must be deleted.
Transparency: data processing must be clearly set out and comprehensible.
Confidentiality: companies must ensure that they protect the personal data of their customers both in technical and organisational terms, from unauthorised processing, modification, theft or destruction.
Simplicity: the declaration of consent must be clear and comprehensible, and must also be revocable. Revocation must be as easy as giving as consent.
Right to information and deletion: EU citizens have the right to know, on request, which of their data is being held by a company and how it is being used. A consumer can also request that a company dereference (i.e. delete) the data.
In addition to the above-mentioned requirements, website operators must keep the following in mind:
- right to data portability
- prohibition of making consent subject to the execution of a contract
Very heavy fines can be applied if these requirements are not respected.
Outside the scope: e-commerce.
The GDPR has very few clauses which explicitly refer to e-commerce, instead stating overall principles as this area is governed by other laws.
Nevertheless, there are certain new aspects regarding online trading. While cookies, monitoring users, spam and direct marketing are not explicitly mentioned in the regulation, it is complemented by ePrivacy, another European Parliament regulation on the protection of online privacy. This is set to come into force on the same date as the GDPR.
This regulation will require strict consent for cookies, which will have consequences on targeting and personalised advertising.
List of measures applying to all companies to comply with the GDPR
If you wish to apply the new basic European regulation on data protection, the first thing to know is that the measures required vary from one company to another. However, there are certain measures and precautions which every company is obliged to take into account, listed below:
- Check to see whether you are required to designate a data protection officer.
- Update your website’s confidentiality policy to reflect the new regulation.
- Ask the head of your technical department or your data protection officer if your current measures are sufficient. In certain cases, additional measures can be taken, or it may be enough to better integrate your existing measures into the IT infrastructure.
- Establish a list of data processing activities.
- Draw up GDPR-compliant documentation on personal data processing.
- Establish means of communication for requests and inquiries from customers and users on the subject of data protection.
- Any personal data that has been gathered and which contravenes the ban on making consent subject to the execution of a contract must be gathered in a different way, and as data that is provided voluntarily.
- If you use subcontractors for data-gathering, check with them that any agreements correspond to the GDPR reform or modify those agreements to comply with the law.
- Check how you obtain the agreement or consent of your customers in your online stores and adapt the procedure to comply with the GDPR.
- If you are uncertain about anything, do not hesitate to ask for professional advice.
Keep abreast of GDPR developments on Twitter !