GDPR: Definition, Launch Date, Consequences
GDPR – many entrepreneurs have heard about this acronym. Not everyone knows what hides behind it and what organizational, financial and legal consequences come with the new law. When does it come into play and what do companies have to do to adjust their business? We’re talking with Ms. Beata Marek – an experienced attorney at law from Cyberlaw.pl, a consultant working for many companies and technology projects, and an expert working for a few ministries of the Polish government.
What is GDPR and what is the reason for implementing this law?
General Data Protection Regulation (GDPR) is a law established by the European Parliament and the Council of the European Union in 2016. The goal was to make the law about personal data (Personally Identifiable Information – PII as understood in the U.S.) more current and independent from the rapid growth of technology. The legislation will take effect directly and it will replace a directive from 1995.
What do we mean when we say “personal data”?
Personal data means all the information that we can “pull from data”, that we can use to identify a natural person. For example name, surname, email address, phone number, age and sex. You can read more on the Wikipedia site.
It’s worth mentioning that GDPR does not change the definition of the phrase “personal data”. The law is pointing to something called “identifiers” that allow – directly or indirectly – for identification of a natural person. When we say “directly”, we mean data that clearly points to a person. When we say “indirectly”, we mean linking information that on its own is not that valuable, but allows for identification when linked with other data, forming one cohesive image. Identifiers could also be considered localization data or geolocalization or Internet identifiers.
What is really important, GDPR also considers “personal data” a computer’s IP address or other electronic devices that belong to a natural person, but only when this address can be linked to other data that allows for identification; for example, if we’re using a newsletter sign-up process to obtain an email address, name, surname and IP address.
When does GDPR go into effect?
It’s going to be mandatory starting from May 25th 2018.
According to a global study from 2016 by Dell, published in their whitepaper (“GDPR has ramifications for any company that does business with citizens”) over 80% of entrepreneurs know nothing about this new law or have minimal knowledge. What are the organizational and legal consequences that GDPR brings?
GDPR introduces an idea called Data Protection Impact Assessment (DPIA). It means that all processes linked to processing data (based on internal or external resources) that we want to have, we must align with this concept.
In some cases, it’s going to be mandatory to assess the consequences of protection of personal data, treating this law as a default option from the start, when designing a new technological or service options. For example, when bringing a new application or a service to the market, an organization will be forced to make a Pbd analysis (“privacy by design” or “privacy by default”). Another obligation concerns the time that personal data is being stored and processed and creating criteria for this time; as well as theInternet cookies and profiling that comes along with it. That’s why we need permission from users and this permission has to be: understandable, willingly given, conscious, concrete and clear.
GDPR means changes on an organizational level of many internal branches in a company. It also means the necessity of appointing a personal data inspector (responsible for the protection and for contacts with the appropriate office). It’s worth looking at the legal documents themselves, you can find them on the page EUR-Lex – the official European Union source for law. The responsibility of appointing a personal data inspector rests on public institutions. Excluding courts or the administrator’s main activity depending on data-processing operations that require systematic monitoring on a large scale.
If we’re talking about legal consequences, then the supervisory authority can impose financial penalties but it also has remedial prerogatives. It can for example issue warnings, reminders, order administrators or the organization processing the data to make adjustments. More examples can be found in article 58, paragraph 2 of the GDPR act.
The supervisory authority can also administer financial penalties for not obeying the new law. The amounts are quite substantial. Violators can pay up to 10,000,000 EUR or respectively 20,000,000 EUR and the company – up to 2% or respectively 4% of its total annual rotation.
More on the topic can be found in article 83 of the GDPR.
What steps should a company take to align daily activities with the new law?
These would be 3 steps:
- Increasing the level of consciousness. This point can be avoided if we can say that our consciousness is high and we know what to do next. If not, then employee training is necessary. Not for everyone but surely for sales, partially for marketing, IT and data administrators. For everyone that has access to customers’ personal information.
- Resources assessment. What data does the company have, where is it gathered and processed? Also important is the path to gathering and processing this information. In this situation, it’s mandatory to perform an audit. It can be internal or external. The audit can be legal or technological (or both).
- Analysis and changes in procedures that the organization had up to this point and elevating the level of infrastructure that was in use. We’re talking about revisions, contracts, agreements, addendums.
The estimated time for getting ready for a company of 200 people will probably range from 3 to 6 months. The time will probably be shorter for smaller companies, but we have to remember that an organization with 15-20 people can also have the same preparedness time span. It all depends on what is the nature of the data and what is the nature of the processing itself, how many people are involved in processing and what is the current security level.
Does a natural person, having full rights to administer his data have, under GDPR, the ability to forward/share these rights to another company to allow for service performance?
Absolutely. In a perfect world, for example, when dealing with a customer service line, a customer should have the ability to modify his data. But he should have and has the option to give this right to a company’s employees. It can happen by clicking a button on an internet page that gives the permission for personal data processing. It can happen by generating a service ticket in the system. It all depends on what the infrastructure on the customer’s side looks like.
One of the elements of GDPR is a company’s obligation to disclose to the customer (in the form of a .pdf file, for example) the data that the company processes that are linked to this customer. What will happen if the company refuses to hand over this information to the customer?
The penalty for breaking the law will be specific to each case. An appropriate office will be analyzing the reasons why the company refused to hand over the information.
A natural person will have the ability to ask the company or the office to exchange the personal data among themselves. This, for example, can be handy, when asking for a loan. It drives the need to create a system for the exchange. Is there a need for inventing a special system for this, hiring a new employee, etc.?
The right to exchange personal data between organizations is a new definition under GDPR. I think that many people will have a hard time when talking about the right to forward the data to another organization on the one hand and the right to share them between two organizations on the other. The fact is, that the personal data administrator will have the right to refuse the execution of the forwarding process when the other organization does not have the capacity to take this data. Or in the situation when the organization will process the data by means other than listed in the contract or agreement.
I think that within the first year after GDPR implementation, or even further down the road, we will have to learn how to refuse data transfers because it can be overused. Sharing, access to data and transfer – these are all different conceptual sets.
Another element of GDPR is “the right to be forgotten”. It often happens that the time of performing services is long gone, but the personal data is still in play. Do companies have an obligation to delete the data in this case?
“The right to be forgotten” is in play when the administrator goes public with personal data. He does not have the responsibility to take care of the matter personally. He has the responsibility to inform a person that he forwarded to another person the demand to delete the data, information about the data and a copy of the data.
What GDPR does in this case, is that it produces a long list of exceptions. The exception we will probably use very often is what’s called the “data retention” or the responsibility to store the data long after the expiration of the contract itself. For example, in the case of an ongoing investigation or for protection from legal claims needs.
Organizations have to look through every document they have, including policies for privacy. This is the level of information about cookies – why we are implementing them and what we are doing with them. If cookies are used for profiling then it needs to be described according to the law about profiling. The agreement for cookies on the user’s side is not changing, though. The user is still expected to agree to cookies by clicking on the button (it applies especially to the so-called “scoring”).
What about existing customers? Does a company have a responsibility to present annexes for already existing contracts?
Organizations should look through their contracts, it can be the case. It will definitely be in the case of a “personal data processing agreement”, if they were made before April 27th, 2016 and article 28 of the GDPR was not considered in the content of the contract.
Is there a difference between internal and external preparations? Is an entrepreneur obliged to prove to the office that his company’s daily business is aligned with GDPR? If so, what form does this proof need to take?
No, the administrator does not need to produce evidence. The exception would be an inspection, a legal claim and a criminal proceeding.
GDPR introduces the option to obtain certification and something called “codes of conduct”. This is a form of telling everyone interested that the organization is administering the data in the right way and that they are safely stored.
Does the organization need to audit itself for the purposes of GDPR and data safety? Who will assure the owner that his company operates according to guidelines and within the lines of the law?
No, the certification and “codes of conduct” are not mandatory. The responsibility, however, rests entirely on the entrepreneur and in some cases on the processing entity.
What hoops does a company need to jump through in order to be aligned with GDPR? Internal documentation, project documentation, the product itself (meaning software), documentation sent to the appropriate office?
All of the above plus vendor relations, they need to be aligned as well. We also have to remember about future product development and information security.
Is there anything that needs to be ready when GDPR hits? Any documentation for offices?
Regulations themselves are the direct source. There could be also a bill specific to each country that can modify the local law. You have to watch closely both GDPR development and your possible local law, as well as information provided by the EU to align your operations with developing events.
How will GDPR compatibility look as time passes? Will there be room for periodic inspections?
There will now be external inspections. Good practices demand, though, that internal periodic inspections take place. It’s worth it to do them at least once a year, taking a close look at procedures, documents, security levels, etc.
The GDPR does not introduce a special form of documentation that the organization has to present to an office. If documentation is being made, it’s only for internal purposes, for security reasons and for data security, including assets and continuity of activity. We have to remember that there is no business without access to personal data, so we have to protect it.
What about a potential data leak or theft? To whom should the company go with this situation and how much time will it have to resolve the problem?
GDPR is rich with information about rules in these kinds of situations. In other, not including cases, a company has a 72h window to inform about a leak or a theft, counting from zero hour. Noteworthy though is that a company must also present a set of steps that it took in order to minimize the risk of further propagation of illegal activity and its consequences.
Firms also need procedures in case of data theft. What do we have in mind when using the term “procedures”? Is there anything besides taking the case to the appropriate office?
Organizations need plans for continuity of operations. It means that they have to know what exactly will happen if personal data is simply not there for them to use. These are procedures linked to relations with vendors, rules for hiring people, data sharing between systems, backups and a whole lot more.
Are there any data describing the costs for aligning the company to the guidelines of GDPR?
Costs will naturally vary but it’s good to think of them as an investment. Start with hiring an employee that under the new law will be recognized as the administrator of personal data. Other costs will include software that will allow firms to check where personal data resides in their organization and what’s happening to them… or expenditures on penetration tests.
What sanctions are foreseeable for not aligning your business to the new law?
Legal penalties can be specified by any country within the EU and their internal legislation. Look for the appropriate legislation in your country by visiting a local Law Journal. What can also take place are the aforementioned financial repercussions and remedial prerogatives.
Cyberlaw.pl is a company offering legal consultations in the pay-by-the-hour model (different packages available) or project-based (fixed price model). The expert team consists of attorneys-at-law, economists, analytics specialists, and IT security engineers. This variety benefits the customers.