General Data Protection Regulation (GDPR) became enforceable in May 2018. The purpose of the regulation is to implement one set of data protection rules for all organizations operating in the EU, regardless of where the data is processed and where the company is located. This means that also organizations in the USA must apply the same rules when offering services and goods or monitoring behavior of individuals within the EU. The sanctions for not complying with the regulation can be up to €20 million or 4% of the total annual worldwide turnover.
The regulation is a significant step to ensure better transparency and control over personal data processing in the digital age and clarifying rules for organizations how they can process personal data. The GDPR strengthens existing rights, provides new requirements and gives EU citizens more control over their personal data. These include rights to:
- obtain access to the personal data held about him/her
- ask for incorrect, inaccurate or incomplete personal data to be corrected
- request personal data to be erased when it’s no longer needed or if processing it is unlawful
- request the restriction of the processing of his/her personal data in specific cases
- receive his/her personal data in a machine-readable format and send it to another controller (‘data portability’)
- request that decisions based on automated processing based on his/her personal data are made by natural persons, not only by computers
Although the GDPR is not a U.S. law, organizations based in the USA should consider whether they are in the scope and what actions do they have to take in order to become compliant. The GDPR sets several obligations to organizations (e.g.):
- getting consent of the individual concerned to use his/her personal data and informing how the personal data is processed
- carrying out impact assessments when data processing may result in a high risk for the rights and freedoms of individuals
- determining the roles and responsibilities of processing personal data. The duties of the processor towards the controller must be specified in a contract or another legal act.
- building data protection safeguards into products and services from the earliest stage of development
- appointing a data protection officer in organizations which process data on a large scale
- keeping records on how personal data is processed. However, small and medium-sized enterprises (SMEs) are not required to keep records of processing activities, unless the processing is regular or likely to result in a risk to the rights and freedoms of the person whose data is being processed
What is personal data?
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.
Examples of personal data: a name and surname, a home address, an email address which can be linked to an identifiable living individual (e.g. firstname.lastname@example.org), an identification card number, location data, an Internet Protocol (IP) address, a cookie ID.
On the other hand, if the data cannot be related to an identified or identifiable living individual, it is not defined as personal data. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
What is processing?
Processing covers a wide range of operations performed on personal data, including the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.
The regulation applies regardless of the technology used for processing that data – both automated and manual processing – and it doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.
Examples of processing: staff management and payroll administration, access to/consultation of a contacts database containing personal data, sending promotional emails, monitoring behavior of individuals, shredding documents containing personal data, posting/putting a photo of a person on a website, storing IP addresses or MAC addresses, video recording (CCTV).