What is GDPR?
Europe’s huge privacy fines against Marriott and British Airways are a warning for many companies handling EU data. The biggest, however, may be yet to come as Facebook, Google and Apple remain under investigation. The GDPR is a very broad rule with little specifics, and companies have had few insights into how regulators in the EU would interpret the law. Databrackets in partnership with Bagchi law is working on publishing research material along with webinars to help companies comply with this new law.
What is GDPR?
GDPR stands for General Data Protection Regulation and is a set of data privacy regulations implemented by the EU Parliament on April 14, 2016 (“GDPR”). GDPR is designed to harmonize data privacy laws across Europe, and generally sets forth requirements with respect to how information related to individuals may be collected and used.
To Whom does GDPR Apply?
GDPR applies to all entities who “process” “personal data” related to individuals residing in the European Economic Area. As a result, the vast majority of entities which sell products or provide services to individuals located in the European Economic Area are subject to GDPR.
The concepts of “processing” and “personal data” are at the core of GDPR, and a determination of whether GDPR applies to a particular entity:
- “processing” is defined in Article 4 of GDPR as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”; and
- “personal data” is defined in Article 4 of GDPR as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Such definitions are broad, and “personal data” generally includes all information which can be linked to a specific individual. Moreover, “processing” covers almost all uses of personal data.
Why is GDPR important? And What Does it Mean for the Future?
Almost every service we use- from retailers to email providers and social media networks- requires the collection and processing of our personal data. Entities may collect, store, and use a variety of personal information we provide, such as names, addresses, and credit card numbers.
In recent years, the accelerated aggregation of personal data has led to the most serious data breaches in history, such as the 2017 and 2018 breaches of Equifax, Facebook, and Aadhar, which collectively affected more than 1.25 billion individuals. But GDPR seeks to ensure personal information is protected against not only those who would seek to use it maliciously but also against the entities which collect it.
In early 2018, Facebook lost more than 100 billion dollars in share value in a matter of days when news of the Cambridge Analytica data scandal broke. Facebook shared with Cambridge Analytica personal information related to an estimated 87 million users, without their consent. In March 2018, just two months before GDPR came into effect, Google released findings that between 2015 and 2018 its Google+ social network contained a glitch allowing developers to access the personal “Google+” profile data of countless users.
The litany of data breaches and the frequent misuse of personal information has not gone unnoticed, even in the US. Largely in response to the misuse of personal data by big-tech companies such as Google, Facebook, Amazon and others, various states are implementing their own regulations applicable to personal data and cybersecurity. For instance, the California Consumer Privacy Act will be effective January 1, 2020, and the New York State Legislature’s Cybersecurity Regulations went into effect March 1, 2019.
How does GDPR Affect Your Business? What is a DPA?
Before turning to a discussion of the practical impact of GDPR on covered entities, it is important to understand two additional terms defined therein:
- “controller” is defined in Article 4 of GDPR as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law”; and
- “processor” is defined in Article 4 of GDPR as “natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”
If your business processes personal information related to individuals residing in the European Economic Area or provides such information to any other entity, you are likely already familiar with the concept of a data privacy agreement. GDPR requires certain contractual provisions govern the relationship between controllers and processors. These contractual provisions are generally found in a data processing agreement, commonly referred to as a data processing addendum or “DPA.”
The most fundamental provisions required by GDPR are found in Article 28 Section 3 of GDPR. Such section requires “processing by a processor” be “governed by a contract…that sets out:”
- the subject-matter of the processing;
- the duration of the processing;
- the nature and purpose of the processing;
- the types of personal data subject to processing;
- the categories of data subjects (whose data is being processed); and
- the rights and obligations of the controller.
In addition to the above, GDPR sets forth a number of stipulations applicable to processors, which must be contained in the relevant agreement or DPA. Such stipulations include the following:
- the processor must act only on the controller’s documented instructions unless required by law;
- the processor must ensure that individuals processing the controller’s personal data are subject to an appropriate duty of confidence;
- the processor must take appropriate measures to ensure the security of processing;
- the processor may only engage with a sub-processor with the controller’s prior authorization and pursuant to a written contract containing appropriate protections;
- the processor must take appropriate measures to help the controller respond to request from individuals to exercise the rights provided to them under GDPR;
- taking into account the nature of processing and the information available, the processor must assist the controller in meeting its GDPR obligations in relation to the security of processing, notification of personal data breaches and data protection impact assessments;
- the processor must delete or return all personal data to the controller upon the termination of the provision of services relating to processing; and
- the processor must submit to certain audits and inspections.
Whether your business is a controller entering into a DPA with a processor, or you’re a processor engaging with a sub-processor, it may seem daunting to ensure each requirement of GDPR is met. On the flip-side, failure to comply with GDPR can result in fines ranging from 10 million euros to four percent of a business’s annual global turnover. While GDPR was implemented in May 2018, this year has seen an exponential increase in the number of enforcement actions. And as the US begins implementation of its own data privacy regulations, it is more important than ever for US businesses to begin thinking about compliance.
Attend our live webinar to learn more about how to comply with GDPR.