Officially known as European Union Regulation 2016/679, the GDPR is a brand-new law that affects a very broad section of citizens, businesses, and government agencies. What are the implications of this new law? That is the big question on everyone’s mind, because the EU wrote it to contain all businesses that have any operating capacity within the EU, and that means US businesses will be affected by this law as well. While this law is too new to understand the full implications at date of this writing (June 2018). We will take some time over the next several weeks to review highlights in the law, and to study the intent behind the wording and structure of the GDPR. Hopefully in this exercise we will reach some ideas on best practices for all those that will be affected.
Data Protection History in the EU
Protecting data became an EU priority sometime around the turn of the century. After countless terrorist attacks in EU-based countries, many businesses and government agencies enacted major camera operations covering streets, buildings, and major infrastructure in an effort to thwart further attacks. From the beginning of it’s inception, the EU’s charter includes Article 8 (1), which states that the protection of processing data of people is a fundamental right, and the language asserts that the EU will govern protection activities. Originally, Directive 95/46/EC was the sole measure to protect personal data. But as the turn of century came, the EU quickly realized that the directive addresses a very limited scope (mainly payment transactions and financial applications) and did not go far enough in their opinion where it concerns digital content being captured.
The EU took several years to debate and construct a solution, but 2016/679 replaces 95/46/EC, and is written more broadly to cover all aspects of data collection involving people.
What Changed in the Old Law?
The major changes concern the broad interpretation of data. Prior to the Digital Age, data was linked to computers processing transactions of people, as stated previously. Much of this was related to financial processing, so the original law really focused on that industry. Now, with the advent of digital data in almost every industry, as well as the proliferation of it’s sharing between various entities, the EU has decided to re-write its original view of what constitutes data, and that means they’ve considered and incorporated every possible data and access point that captures personalized data of any kind.
The second major change in the law is that while the EU won’t require companies and people who capture personalized data to have a plan for mitigating that data preemptively, as soon as the EU discovers that they can’t honor requests from citizen to have that data removed from their systems, the fines begin to be issued. And the fines involved are massive, and have the potential to put the strongest, most risk-averse corporations out of business the minute the fine is assessed, which is structured as €20 Million at the maximum level, but can even be tied to percentages of annual earnings in EU nations, upwards of four percent.
This means that far more businesses and people are affected by the law, and that means people need to learn the law, how it applies to their data capturing scenario, and find appropriate ways of handling any potential requests.
How Does This Impact Business and Government?
The key impacts are concerning GDPR are the requirements it places on certain organizations, both public and private. First, all organizations that are impacted by GDPR will have to be assessed through what is called a Data Protection Impact Assessment (DPIA). This assessment is meant to understand the data the organization collects, how it is handled, stored, and managed. You can be sure that this process will be dictated by the EU, but likely will be carried out by third party vendors who are certified to conduct the assessments.
The second impact is that organization of a certain size will have to hire their own full-time Data Protection Officer (DPO). These people will have to be trained on the GDPR, and how to comply with it. Organization that don’t meet the criteria for a full-time, in-house DPO are going to have contract for services from an organization that has available DPO staff.
As you can see, this is a regulation that has essentially created an entirely new industry, and that can spell big problems for those that don’t adopt early.
The goal is to expunge (i.e. delete) as much personally identifiable data as possible, and to hold organizations accountable for doing so. But, the EU also granted some exemptions to GDPR processes in certain instances. Much of those exemptions can be found in Subsections 45 (concerning medical/public welfare/disaster concerns, 50 (scientific/historical & scientific research), 52 (employment/social protection law), and carries on into subsequent sections reaffirming the various exemptions.
In Article 2, Subsection 2(d), the EU spells out that there are exemptions for law enforcement when it comes to following the procedures outlined in removing data. The language makes pretty clear that law enforcement will have wide latitude in not complying with the law, but there are additional sections that spell out that law enforcement, like all other entities being governed by the GDPR can be required to qualify the exemption on a case-by-case process.
In Subsections 86 and 88, there are paragraphs with dedication to reporting data breaches involving the data safeguarded by the GDPR, which require timely reporting, and full transparency with law enforcement authorities when they begin investigations. The motivation for such specific language arises from data breach scenarios where company mission and policy took priority over open reporting to law enforcement. Clearly, this is not something the EU wants repeated after they implemented the GDPR.
We’re merely touching on the surface of this regulation. It spans 88 pages in total, so there will be a lot more to discuss in future editions.
What the GDPR Doesn’t Address
The focus of the GDPR is on those entities collecting data in the process of business and official activities, that the EU believes shouldn’t be stored for a lifetime. The EU spent a great deal of time addressing those concerns. What they left out, and were intentional in doing so, was addressing private citizens collecting data for their own, specific purposes. The official EU explanation website cites an example where a citizen uses their address book to invite friends via email to an event. This falls under the household exemption. However, initial reactions suggest that not all activities by private citizens can be covered by this exemption. We’ll also explore that in later articles.
It also grants the EU Member States a major exemption, falling under the entitlements they have in a separate document, the Treaty of the European Union, in Title V, Chapter 2. We won’t go into the details here, but entire Chapter reads over numerous scenarios where, when applied to the GDPR, makes it so the Member States can grant themselves exemptions. There’s likely some good reasoning for this but considering how tight the GDPR was written for everyone else, it does come off as insulting on the surface.
The GDPR also has a major component to it that it doesn’t address: the limits by which it can be applied. While the regulation discusses general jurisdiction, it would appear it has been written well enough to be vaguely open to possible interpretation well outside the EU. And that means a lot of headaches for all businesses and government bodies outside the EU. Again, a topic we’ll specifically address in a later article.
The GDPR is a lengthy, complicated regulation that is trying to address major data collection and storage operations but is also trying to allow government to operate the way it would normally operate. While a lot of effort, time, and intelligent thought went into this regulation, the application of it is still very new, and it means that how it will apply to all is still going to be worked out over time. We can rest assured that much of the questions about how it applies have been well-thought out, but court challenges can always strike down, alter, or emphasize portions. The real challenge will be when jurisdictions outside of the EU have to weigh in, which may lead to closing the expansiveness of the regulation as it rests now.
Be safe out there!