GDPR--What You Need to Know Now

Does GDPR Affect You?

Probably, yes.

We'll get into the details shortly, but let's start with the most important question: Do you need to care about GDPR?

If you have customers or clients in the EU, yes. You are required to comply with GDPR.

Even if you don't do business in the EU, you may still be legally obligated to comply with GDPR requirements. If your business has a website, it could (at least potentially) reach people in Europe. If your site uses cookies, it may be collecting IP addresses, browsing history, or other information from site visitors. If your site includes webforms or allows comments, it probably collects names or usernames and email addresses.

Any organization that collects (or can potentially collect) personal data of a person in the EU is legally bound by GDPR.

If you have a website, that probably includes you.

This blog is designed to help you understand GDPR and to provide additional resources. It's longer and more detailed than our usual blogs, but stay with us. Our goal is to give you a clear, understandable summary of what you need to know by answering four questions:

  • What is GDPR?
  • What is GDPR designed to accomplish?
  • What are the GDPR requirements?
  • What should you do to prepare for GDPR compliance?

What is GDPR?

The 28 member nations of the European UnionThe General Data Protection Regulation (GDPR) is legislation enacted in the European Union on April 16, 2016. It becomes enforceable law on May 25, 2018.  GDPR recognizes the value of personal data in a global, information-driven economy.

GDPR provides a uniform set of regulations for data protection and privacy that apply equally across all 28 member nations of the EU. It defines and restricts how organizations may collect, process, transfer, and retain the personal data of all individuals within the European Union. But GDPR's reach extends beyond the borders of the EU.

Any organization that collects any personal data or tracks information or behavior (even through website cookies) about people in the EU is subject to GDPR. GDPR has the force of law whether or not the organization has a physical presence in the EU. No financial transaction must occur for GDPR provisions to apply.

GDPR does have two exceptions though. Its provisions do not apply to—

  1. Personal data of non-EU subjects (for example, Americans)
  2. Personal data of EU subjects who are outside of the EU when the data is collected

Penalties for infractions are severe: up to 20 million euros (24.9 million US dollars) or 4% of a company's annual revenue for the previous year—whichever is greater.

This threat of hefty fines plus the looming deadline for compliance has many US organizations scrambling to understand how GDPR affects them. Of course, the impact of GDPR will vary greatly depending on the type and size of an organization and the amount of data it collects and/or processes. GDPR will massively impact a large company that collects huge amounts of personal data, especially if much of that data comes from people in the EU. A US company that may potentially have an occasional website visitor from the EU may be only minimally impacted. But both companies need to understand the GDPR and take any necessary actions.

The first step is defining GDPR's basic terms.

GDPR's Important Terminology

Term Definition Example
Data Subject A "natural person" who can be directly or indirectly identified by a name or username; location data; genetic, physical, or other identity Sharon Jones, Caucasian, "SJones187," geo location, etc.
Personal Data Any information relating to an identified or identifiable data subject Gender, age, address, photo, shops at a certain store, buys a specific brand of coffee, likes cats, plays tennis, etc.
Sensitive Personal Data Personal data about especially sensitive topics such as race or ethnicity; political, religious, or other philosophies or beliefs; organizational memberships, interests, or participation; health, sex, or sexual orientation, etc. Fingerprints or scans, religion or political party, union or other group membership, sexual or medical information.
Processing Anything that is done with personal data or sensitive personal data Any and all collection, sharing, transferring, using, modifying, storing, or deleting of personal data or sensitive personal data.
Data Controller Any entity that collects and determines the need and use of personal data A bank collects personal data for a mortgage application. A company collects information for the sale of an online product or service. A website collects information through cookies. 
Data Processor Any entity that processes personal data based on the instructions of a data controller. A loan company uses data collected by the bank to evaluate a mortgage applicant's credit-worthiness. A marketing firm analyzes data from a company's online sales or website statistics to develop a marketing plan.
Pseudonymous Data Personal data that cannot identify a specific data subject without additional data, which is securely stored in a separate location to preserve anonymity. A data subject visits a secure website. The data subject's IP address is recorded and linked to pages the subject views; the IP address is hashed so that it cannot identify the data subject without access to additional information that is securely stored in separately-secured location.
Anonymous Data Data that cannot ever be connected to a data subject A company asks for online feedback about a service it has provided. The company collects no information about the persons providing feedback, not even IP addresses, and cannot identify anyone who has given feedback.

These terms define the data subjects and data handlers as well as the types of data GDPR regulates. Now let's look at the goals GDPR is designed to achieve.

What Is GDPR Designed to Accomplish?

GDPR protects the privacy and personal data of all individuals (data subjects) within the European Union. It gives those individuals specific rights and controls over their personal data.

The following list summarizes the rights GDPR protects for individuals in the EU:

  1. The right to transparency in consent—People have the right to be told in clear, specific language what information is being collected and for what purpose it will be used.
  2. The right of access—Individuals have the right to access their full data profile from information controllers and information processors along with clear explanations about how their data is being used.
  3. The right to object—Under certain circumstances, individuals have the right to object to their information being used for profiling or direct marketing.
  4. The right to protection from automated decision—Individuals are protected from potentially damaging decisions based on data processing without human intervention.
  5. The right to data portability—Individuals have the right to receive back data they have previously provided in machine-readable format and to transfer that data to another data controller of their choice.
  6. The right to correction—Individuals have the right to have personal data corrected if it is incomplete or incorrect.
  7. The right to erasure—Also called the right to be forgotten, this right enables an individual to request that personal data be deleted if it is no longer needed by a data controller or data processor or if the data subject withdraws consent.
  8. The right to restrict processing—Individuals have the right to block or "suppress" the processing of personal data.

In order to protect these rights, GDPR imposes obligations and restrictions on organizations that collect and process personal data.

What Are the GDPR Requirements?

A word of caution is advisable here. While we hope this summary is helpful, it is just that: a summary. It's an overview to help you approach GDPR with better understanding. You and your legal advisors should go directly to the legislative text of the GDPR for complete information before drawing conclusions or taking action.

GDPR requires data controllers and data processors to establish policies and procedures and to take actions that assure the privacy and rights of data subjects. Some requirements apply specifically to either data controllers or data processors, while other provisions apply to both. The list below summarizes the most salient GDPR requirements.

  • Requirements for Consent—Consent forms must state clearly and unambiguously (without "long illegible terms and conditions full of legalese") what data is requested, why the data is necessary, and how it will be used. Consent must be an explicit, affirmative statement, not merely implied consent. Organizations must be able to prove that they have obtained explicit consent.

  • Limitations on Data—Organizations must have a lawful reason to collect data, and only the necessary data may be collected. Data may not be used for any purpose other than that for which consent was given. Data must be kept current and correct and must be deleted when it is no longer needed.

  • Privacy by Design—When organizations plan and/or implement new products, services, or processes, they must be designed to comply with GDPR requirements.

  • Privacy by Default—Organizations are required to choose the most "privacy friendly" option whenever they collect, process, transfer, or take any other action with personal data. Organizations must, for example, choose less data and less processing instead of more, shorter retention time instead of longer, and give data subjects the greatest possible control over their personal data.

  • Security—Organizations must implement security measures to assure that personal data is protected against any unauthorized use, disclosure, transfer, theft, loss, change, or other security compromise. Data controllers must be able to demonstrate compliance with the GDPR by keeping records of data processing activities and privacy impact assessments and by securing compliance contracts with data processors. They may also be required to appoint a Data Protection Officer. Data processors may process data only as instructed by data controllers and may not share or transfer data without consent of data controllers. Data encryption and pseudonymization are not required but are encouraged as security measures.

  • Notification of Data Breach—In the event of a security breach, data controllers must notify their data protection authority as soon as possible and no later than 72 hours after becoming aware of the breach (unless no harm is likely to result to data subjects). If the risk to data subjects is high, data controllers are required to notify data subjects as soon as possible. Data processors are required to notify data controllers as soon as possible of any security breach.

Details of these and other requirements can be found in the GDPR text. With the enforcement date fast approaching, now is the time to make sure you are prepared for GDPR compliance.

What Should You Do to Prepare for GDPR Compliance?

As an introduction to this section, we again begin by advising caution. This time, though, we offer not just one but four cautionary statements.

  1. Your legal counsel should help you determine how GDPR applies to your business and what actions are necessary for compliance.
  2. Many reputable companies are offering GDPR compliance services. Ironically, though, anything regarding data seems to be a magnet for fraud. Beware of GDPR consultants charging enormous fees for patchy advice.
  3. Despite the looming deadline for enforcement, don't rush. Be thorough in your assessments and thoughtful about changes to policy and privacy statements.
  4. In the process of caring about personal data, don't lose sight of caring about the person. Keep reading. You'll see what we mean.

Despite the two-year preparation time between GDPR's passage and the compliance date, organizations on both sides of the pond are still rushing—and investing huge sums-—to meet the May 25th deadline. Large tech companies that collect and/or process huge amounts of personal data have the most work to do—at the highest cost. One survey reported that 68% of US companies expect to spend between $1 and $10 million on GDPR compliance. An independent survey by the Ponemon Institute reports that the average annual budget for GDPR compliance is $13 million.

Despite much effort and expense, Janco claims that due to a lack of both resources and skills, 1 in 3 companies will not meet the deadline. US readiness looks even bleaker, with only 29% of US companies saying they are "very ready to comply with GDPR." Unpreparedness, though, is not necessarily good company since 71% of those same companies worry that "failure to comply would have a detrimental effect on their global business capabilities."

Compliance plans are specific to the type and size of an organization. With that in mind, here are some general steps in the process:

  1. Form a team with members representing each part of your organization. Team members need to know what data your company collects and/or processes and to promote buy-in from other personnel in their departments. If your company will be required to appoint a Data Protection Officer, that person will likely be your team leader.
  2. Analyze the data you hold and the sources through which it is acquired. Each departmental representative is important so that no data source is ignored. Consider, for example, the data that has been acquired without formal consent through sources like job applications, emails, website forms and comments, web cookies, and other sources. Most organizations possess much more personal data than they realize.
  3. Review your current privacy practices in light of GDPR requirements. Your inbox, like ours, has probably been flooded lately with emails about "Changes to our Terms of Service" and "Updates to our Privacy Policy." Seek legal counsel as needed to decide if changes may be necessary to your policies.
  4. Review your consent forms. This task may be even more difficult than it seems. An "explicit, affirmative statement" may meet GDPR requirements to protect personal data without communicating effectively to a person. While researching this blog, I interviewed a student who had signed up for an online course but never received her confirmation email with course access information. The GDPR-compliant consent form asked, "Do you consent to receive marketing information by email from [Organization Name]?" The user did not want to receive advertising and left the box unchecked. After four frustrating phone calls, trying to get access to her course, she was told the problem was that she had not given the company consent to email her. Compliance may have succeeded, but communication had failed.
  5. US companies will also have to consider their use Cookie policies may have to be reviewedof website cookies. EU-based websites frequently block site access until a user consents to cookies. Whether GDPR's consent definitions will increase cookie consents remains to be seen.
  6. Data breaches incur serious penalties under GDPR. Review your procedures to prevent and, if necessary, to detect, analyze, and report any data breach.
  7. Develop and implement policies and procedures for Security by Design and Security by Default.

Again, this list of steps is just an overview. Below you will find additional resources we hope will be helpful.

GDPR Resources

We at Covenant hope this blog has helped to give you a basic understanding of GDPR, what it requires, how it might apply to your organization, and how you might begin to prepare for GDPR compliance.