As many have noticed, we have started to receive many Privacy Policy Updates from a variety of companies. This barrage of emails claiming to be committed to helping individuals and being transparent, is a result of companies starting to become compliant with new privacy laws. Starting May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will take effect. This law covers any organization anywhere in the world that handles the personal data of EU residents. This may mean that many websites and small business will need to ensure they are taking proper steps to ensure they avoid the steep fines and penalties imposed by the EU, even if they do not reside in EU countries.
The aim of GDPR is to give Europeans a clear understanding of who owns their personal data and to give more control over its uses. This means that organizations must be more disciplined when capturing and using personal data.
Many may be wondering how this will impact their business here in Canada, and what do we need to know regarding EU’s GDPR. We have provided a quick guide of what to know, and what actions could be required as next steps.
What is considered Personal Data?
Before going any further, we should know exactly what is meant by Personal Data, and the definition that is provided by the European Commission. “Personal Data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.
Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law.
Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
The law protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.” (European Commission – European Commission, 2018).
In general, anything that discloses your identity and is unique to you is personal data. Some examples are:
- Name
- Address
- Phone number
- Birthday
- ID Cards
- Workplace and/or School
- Social media accounts
- Email Address
- Metadata
- IP Address
Is GDPR a good thing or a bad thing?
The aim of GDPR is to give Europeans a clear understanding of who owns their personal data and to give more control over its uses, meaning that organizations must be more disciplined when capturing and using personal data. Companies could branch their data processing and applications into two products, one for EU residents, and the other for the rest of the world. However, this would be impractical for most, as it would increase their costs substantially. This means, not only Europeans get a clear understanding and more controls, but the rest of the world will as well if the company is trying to capture clients in EU countries. In general, GDPR will:
- Increase customer confidence
- Improved data security
- Reduce data maintenance costs
- Provide more transparency
With the rapid pace of technology, many companies have had the opportunity to move quickly and use new technology to their business advantage to gain competitive edges. While this is great, it has sometimes come at the cost, especially with the many data breaches that have occurred over the last several years. GDPR is a start to better practices used throughout the industry while trying to keep a level playing field.
What are the fines for GDPR?
When a fine is handed out, there are ten criteria that are used to determine the amount of the fine for a firm that is non-compliant. (Gdpreu.org, 2018)
- Nature of infringement: number of people affected, damaged they suffered, duration of the infringement, and purpose of processing
- Intention: whether the infringement is intentional or negligent
- Mitigation: actions taken to mitigate damage to data subjects
- Preventative measures: how much technical and organizational preparation the firm had previously implemented to prevent non-compliance
- History: (83.2e) past relevant infringements, which may be interpreted to include infringements under the Data Protection Directive and not just the GDPR, and (83.2i) past administrative corrective actions under the GDPR, from warnings to bans on processing and fines
- Cooperation: how cooperative the firm has been with the supervisory authority to remedy the infringement
- Data type: what types of data the infringement impacts; see special categories of personal data
- Notification: whether the infringement was proactively reported to the supervisory authority by the firm itself or a third party
- Certification: whether the firm had qualified under approved certifications or adhered to approved codes of conduct
- Other: other aggravating or mitigating factors may include financial impact on the firm from the infringement
The lower-level fines can be 2% of the worldwide annual revenue of the previous financial year or €10 million, whichever is higher. Where the higher-level fines can be 4% of the worldwide annual revenue of the previous financial year or €20 million, whichever is higher.
Either way, there is significant incentive to take GDPR seriously, and ensure compliance.
Should I start to Panic & how to do I become compliant?
As large as the fines are, there is little need to start to panic. The first thing that should be done is to determine if any EU clients are being serviced. This can be started by mapping out all the personal data in a company’s possession. Next, it must be understood what needs to change to comply with GDPR. This might mean no longer keeping any data that is not actually needed to perform the services that are provided. For all data that is needed to operate, ensure that data is only used for the intended purpose. For example, if an App is used to track steps while walking, and needs Geolocation, then ensure the Geolocation being collected is not used for different purposes. Some of the data collected for operation is required that consent is asked, while others are not. It is recommended to investigate further if this is the case. If a website is being run, and have not geoblocked all EU countries, basic processes like logging IP addresses can be ignored. Access logs should not be a problem since they rotate often and cannot be used on their own to identify an individual person. However, if IPs of users are stored and it is common to actively try to correlate IPs with behavior, then consent is required.
If EU residents or any of their data is not associated with a given company, then there is likely not much action that is needed. Where many businesses in Canada will feel the effect of GDPR however, is if they deal with larger companies that do process data belonging to EU clients, and as a result, have changed their policies and how they process and handle their data. They may require an affiliate to be compliant with certain policies they have implemented before continuing business. Similar steps are laid out above to handle this situation.
For more information regarding GDPR, read the Privacy by Design report by the European Union Agency for Network and Information Security:
https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design
For any urgent questions, please contact: ghawes@solut.ca
References:
European Commission – European Commission. (2018). What is personal data?. [online] Available at: https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en [Accessed 25 May 2018].
Gdpreu.org. (2018). Fines and Penalties – GDPR EU.org. [online] Available at: https://www.gdpreu.org/compliance/fines-and-penalties/ [Accessed 25 May 2018].