What is the GDPR?
In one year from today, the General Data Protection Regulation (GDPR) will be enforced in the European Union. This new regulation aims at unifying everything that had been done until now in terms of data protection in the EU, but also goes one step further with the sanctions for unlawful companies, and broadens the definition of private data.
The sanctions for companies that do not respect the GDPR should be dissuasive enough with fines that could reach 4% of the global turnover up to €20 million. Europeans company are not the only one that could be penalized by the EU, as any company dealing with personal data of European citizens will have to comply with the GDPR.
The article 4(1) of the GDPR defines personal data as: « an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. » For example, under the category ‘online identifier’ fall the IP addresses or the navigation cookies, which were not considered before as personal data. Companies using data will need a “freely given, specific, informed and unambiguous” consent from the users (Art.4(11)). In practice companies will have to thoroughly explain to their users what will be done with their data.
Why is it important for companies?
This new regulation should have a positive impact on consumers and internet users. Trust being a fundamental criterion for people buying on an e-commerce platform or using online services, knowing that the website falls under the GDPR should reassure users. The whole web industry should then benefit from a better image. It could even be relevant for companies to communicate on the fact that they are compliant with the regulation and to explain to their users what it implies. This would surely be a competitive advantage for companies that are being proactive on the cybersecurity topic. Indeed, the GDPR also states that any data leaks must be reported to its users within 72 hours. Rather than a threat for companies’ reputation, this should be seen as an opportunity to level up their security level and processes.
What about users?
The GDPR will give to individuals a better control onto their data. This means that for any service they will use, they will be able to ask for their data and demand their destruction. Another benefit for European citizens is that they won’t have to worry about the nationality of a company before using its services. Indeed, all companies dealing with data from European citizens will have to comply with the GDPR regardless of whether they are based in Europe or not. This does not only benefit the individuals, but also European companies that could have feared unfair competition from outside the EU.
One thing is for certain: No matter what happens, it will be cheaper for a company to comply with the new regulation, rather than suffering from the consequences of financial sanctions and brand damages. To make sure that they take the necessary measures, some organisations will have to appoint a Data Protection Officer (DPO) and to perform a Data Protection Assessment Impact.
The DPO will have to be competent on both the legal aspect of private data handling as well as the technical measures that should be taken to ensure the safety and rightful use of those data. According to the Article 37(1), it will be compulsory to appoint a DPO if:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offenses referred to in Article 10.
This means that for example social media companies, loyalty brand companies, online retail companies, as well as insurers, or any kind of healthcare providers will have to appoint a DPO. The appointment of a DPO will be compulsory regardless of the size of the company, however there is no obligation to hire someone from outside the company. It is either possible to work with a consultancy that will act as a DPO, or to have someone already in the company taking the position as long as there is no conflict of interest. For instance, an IT manager cannot act as a DPO, as that would mean that he would have to monitor himself.
Doing a Privacy Impact Assessment (PIA) will be compulsory, according to the Article 35, in the case of:
- A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
- Processing on a large scale of special categories of data referred to in Article 9 (1), or of personal data relating to criminal convictions and offences referred to in Article 10; or
- A systematic monitoring of a publicly accessible area on a large scale.
Guidelines for the PIA are provided by the GDPR: The PIA will have to define the use of the data, explain the ongoing and future legal and technical projects, assess the risks related to the handling of private data and finally explain how those risks will be addressed. Although not compulsory for all companies, doing a PIA is seen as a good practice and should been considered by all companies handling private data.
Appointing a DPO and conducting a PIA will be necessary for some companies. However, companies are also encouraged to take all necessary actions to ensure that their data is safe from malicious attacks on a technical point of view. It is agreed that no company can ever be 100% safe from attacks, nevertheless they can take initiatives to upgrade their security level. For instance, with encryption of their data that would make them unintelligible in case of data leaks, or by performing security audits to secure their digital platforms and their information systems.
To conclude, the GDPR will have companies breaking their internal barriers as the legal and technical sides will have to collaborate more closely. The DPO will embody this new dual approach to supervise the coherence and lawfulness of the private data management. Far from being a constraint, the GDPR should be seen by companies as an opportunity to prove their good practices and increase the trust of consumers in services dealing with private data. On the medium-long run it will benefit all businesses dealing with private data, without giving an unfair competitive advantage to companies based outside Europe. Finally, the GDPR gives more power to the end-users as they will have more knowledge and rights on what is done with their data.