All our online activities are processed and/or stored, whether it is posting a picture on social media, booking a train or looking up “what is GDPR?” Personal data is highly valuable and in today’s world it’s considered the new currency; many businesses thrive on the exchange of our data with advertisers. Businesses that handle data are responsible for keeping it safe, but are they taking conscious efforts to do so?
To ensure that such businesses are held accountable for their practices, the European Union (EU) created the General Data Protection Regulations (GDPR) to protect the personal data of all EU citizens. Made effective in May 2018, GDPR lists down rules instructing organizations of all sizes what they can and cannot do with a person’s personal data.
Here is an overview of the GDPR that breaks down the complex set of regulations into an easy-to-understand format.
A. Who does the GDPR apply to?
1. GDPR applies to these following categories of businesses that collect and/or process personal data: Any organization (including its subsidiaries and branches) that has offices within the EU, and any organization that processes the data of people living within the EU, irrespective of the location of the organization itself. Example: an American organization that collects the data of EU citizens during online transactions is required to protect that data as per GDPR regulations, even if they have no physical presence in the EU. In other words, you could have a business in Florida but if a French national subscribes to your email list, you would be required to meet the GDPR requirements for processing and managing their data.
2. For purposes of the GDPR, an “organization” means a business irrespective of its legal formation status. Simply put the GDPR privacy regulations apply to businesses formed as an LLC, corporation or even as sole proprietor.
B. What is classified as “personal data” under the GDPR?
According to the GDPR, personal data is any information that can be used to, directly or indirectly, identify a person. Such information can be of any nature, such as physical, physiological, genetic, mental, economic, cultural or social. Some examples of personal data are:
- Name
- Date of birth
- Email address
- Address
- Bank details
- Passport number
- Biometric data
- Health data
- Political opinions
- Gender, race and ethnicity, and so on.
C. How can a business organization be GDPR compliant?
The GDPR has introduced strict procedures that must be followed by organizations while collecting and processing data. To be GDPR compliant, an organization must:
- Obtain consent – an organization must obtain the consent of the consumer before collecting and processing its data. An organization is also required to explain its terms of consent and data collection practices in a simple and clear language. Individuals under the age of 16 are unable to give informed consent, and a parent or guardian must give consent. However, GDPR allows individual EU states to lower this age of consent to 13, as per their will.
- Access to data – upon request from the consumer, the organization must send the consumer with a fully detailed and free electronic copy of the data the organization has collected about the consumer.
- Timely breach notification – in the event of a security breach, an organization must report such breach to the consumer and data controller (if any) within 72 hours of such breach.
- Privacy by design – organizations are required to design and create their product/website with proper security protocols in place. It involves keeping data collection to a minimum and building security measures into all stages of a product’s design.
- Appoint a data protection officer (DPO) – organizations that are either a public body and/or involved in large-scale data processing and/or involved in collection and processing of data related to criminal convictions and offenses are required to appoint a DPO.
D. What are the consequences of failing to comply with the GDPR?
Non-compliance with the GDPR can result in hefty fines. The size of the fine depends upon various factors, such as the type of violation, the number of records affected in a data breach, the organization’s response to a data breach.
Maximum penalties for GDPR non-compliance are:
- €10 million or 2% of global annual turnover fine, whichever is higher, for non-compliance with GDPR security standards, such as failing to administer data protection protocols, failure to report a data breach.
- €20 million or 4% of global annual turnover fine, whichever is higher, for non-compliance with GDPR privacy standards, such as unauthorized data transfer, data infringement, request to access data is ignored.
E. What are the main rights of individuals under the GDPR?
Consumers are empowered by the GDPR by granting them the following rights:
- Right to be informed – the consumer is entitled to know exactly how their data is collected and used
- Right to access – the consumer can request for all the information being collected about them
- Right to restrict processing – the consumer is allowed to refuse the processing of their data
- Right to rectification – the consumer can have any mistakes in their data corrected
- Right to be forgotten – the consumer can request deletion of their data from records
- Right to data portability – consumers own their data i.e. they can obtain their data from an organization and reuse that same data across different services outside that organization. GDPR allows them to move, copy or transfer personal data easily from one business to another in a safe and secure way, without affecting its usability. Example: you can retrieve information about how many times you have listened to a particular song or history of tracks from Spotify, and use that information to buy or listen to an album on another platform.
F. Are US-based businesses required to comply with the GDPR?
Although the GDPR is a European law, it affects businesses worldwide due to its extraterritorial reach i.e. it is applicable to businesses not just within the EU but all over the world (provided they meet the criteria as discussed earlier under Q.A). All businesses that fall within the GDPR bracket will have to adapt their practices for all personal data collection and processing in accordance with the GDPR regulations.
Taking reference to the example mentioned in Q.A above – ‘you could have a business in Florida but if a French national subscribes to your email list, you would be required to meet the GDPR requirements for processing and managing data’, it is clear that businesses with no physical presence in the EU can also be subject to the GDPR on the basis that their customers are living in the EU.
Additionally, this means that US-based businesses with no physical presence in the EU, but in industries such as software services, e-commerce, travel, hospitality and more, and/or with employees, customers residing in the EU are subject to all the rules stated in the GDPR. Consequently, failure of US-based businesses to comply with the GDPR will result in penalties.
Conclusion
For a traditionally secretive organization, the applicability of the GDPR will result in a complete makeover. The GDPR has created a new level of transparency which requires organizations to spend more time and energy on compliance. Organizations have to ensure that their existing technologies are restructured as per the GDPR protocol, as well as, introduce new operational processes and designs to ensure complete compliance.
The minor inconveniences the organizations will face complying with the GDPR requirements are more of an investment to build their consumers’ confidence and reliance on them. Now businesses have the responsibility of being transparent and forthcoming about their data management practices, empowering individual consumers to have more control over how their personal information is being commercially used by businesses they choose to patronize.
Author: Krishna Parekh, Law Clerk at NH Legal
L.L.M Candidate at UCLA School of Law, 2020