It’s unlikely that you haven’t prepared for the new General Data Protection Regulation (GDPR) to go into effect. It’s been a huge topic of news and will create a lot of changes for those companies that are affected by this stringent change in data regulation—there are very few organizations that won’t be touched by the GDPR. The European Union’s GDPR goes into effect on May 25, 2018, and many US-based corporations have been dragging their feet to update their security and compliance programs. If you are in the camp that has put off adopting the new regulations, there is still time! In the age of social media, high-speed internet, and global commerce, the GDPR will almost certainly affect you and your business protocols.
What data is protected under the GDPR?
All personal data is protected under the GDPR. Article 4 (1) of the GDPR states:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
This definition is very broad and all-encompassing. Personal data, as covered under the GDPR, includes:
- Any information related to an identified persons.
- Driver’s license, employee ID, background check, credit score
- Date of birth, address, phone number, email address
- Any information related to an identifiable person.
With the simple addition of “identifiable,” data that could directly or indirectly lead to the identification of a natural person also becomes protected.
For example, let’s say Jane Smith purchases a vegan meal every day for lunch at a specialty deli. If Jane purchases her meal with a credit card, her credit card information makes her directly identifiable to the deli. It also means her purchase history, (e.g. deli location, date and time, amount paid and meal preferences) all become personal data, due to the fact that at that given time, you could potentially identify Jane with this data.
Other data may be considered personal data
There are other instances where collected data could fall within the personal data category:
- Recital 24 states: The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behavior of such data subjects in so far as their behavior takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours, and attitudes.
- Recital 30 clarifies “online identifier” as mentioned in the Article 4 definition of personal data as: Natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
This is where it becomes a bit tricky. In this instance, Jane is in a large retail store. Is the in-store Wi-Fi tracking data considered identifiable information? In this circumstance, retail stores use Wi-Fi scanners to track shoppers’ smartphones. As the shopper walks through the store, the scanner collects data such as device type, MAC address, new or repeat shopper, and in what section of the store they spend the most time.
Behavioral Analysis: The data collected by the retail store is being used for understanding the behaviors of their shoppers. Therefore it will most likely qualify as personal data.
Online Identifier: In this instance, the collected data would also fall under the online identifier, due to the fact that the retail store is collecting MAC addresses which are very similar to IP addresses.
Consent for data capture
Data capture will most likely have the largest impact in the initial wake of the GDPR going into effect. With data capture being an essential part of many businesses, the GDPR has strict requirements on what consent for data capture really means. The GDPR states, “[c]onsent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data related to him or her.”
No longer will companies be able to automatically opt people into receiving their newsletter and gone are the days of the pre-checked boxes that flood your email with coupons.
The consent needed does not stop there, every time you request new data, especially if it will be used for a different purpose, additional consent is required. A one-time ‘blanket consent’ will no longer be acceptable, and an explanation of planned data processes must be given when requesting consent.
There are also a few instances where explicit consent is required. When dealing with parental authorization for children under the age of 13 as well as special categories of personal data, such as ethnicity, religion, political affiliation, medical information, and sexual orientation.
The right to be forgotten
Also covered in the GDPR, is the right to be forgotten, or the right to erasure. This means that consent can be withdrawn and revoked at any time. Once an individual requests their data be removed or deleted, a business must comply unless a compelling reason has them continuing to process the data. Under Article 17 of the GDPR, the right to erasure applies when:
- The personal data is no longer necessary or relevant in relation to the purpose for which it was originally collected.
- The individual specifically withdraws consent to processing, and if there is no other justification or legitimate interest for continued processing.
- Personal data has been unlawfully processed, in breach of GDPR.
- The data must be erased in order for a controller to comply with legal obligations. For example, the deletion of certain data after a set period of time.
It is also the responsibility of the controller to take “all reasonable steps” necessary to have the data deleted from any third parties that may have had access to the data.
How could it effect my US-based business?
Article 3 of the GDPR states:
- This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
- This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behavior as far as their behavior takes place within the Union.
- This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
To summarize, if your company collects personal data or behavioral information from someone in an EU country, your company is held to GDPR standards. The GDPR applies to data collected from subjects in EU. It does not apply to data collected from EU subjects not in EU, at the time of data collection. EU citizens on vacation for instance, purchasing or registering for something while in the U.S. are not privy to the GDPR.