Anytime a sweeping new law goes into effect throughout the European Union; there will be questions and concern regarding who the law applies to and how it is to be implemented. When the subject matter is something as timely and politically volatile as consumer data protection requirements, the level of overall anxiety rises considerably. That’s why we are putting together the GDPR FAQ. Here are the answers to questions most people are asking about the GDPR.
The GDPR FAQ: All the questions that baffle you
GDPR FAQ 1. What is GDPR?
Answer: GDPR, which stands for General Data Protection Regulation, is a comprehensive privacy regulation passed in April 2016 by the European Parliament, the Council of the European Union, and the European Commission with the intent to strengthen and unify data protection for all individuals within the European Union (EU). The regulation also aims to give citizens greater control over their personal data, as well as simplify regulatory reporting for international businesses, standardizing reporting within the EU. The GDPR replacing the Data Protection Directive 95/46/EC, the GDPR goes into effect on May 25, 2018.
The goal of the GDPR is to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.
GDPR FAQ 2. What constitutes personal data?
Answer: The GDPR defines personal data as “any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.”
Under this definition, any number of different personal identifiers fall within the meaning of personal data. The most prominent identifiers include a person’s name, a specifically assigned identification number, accumulated data revealing specific location or online identifier data.
Other examples of online personal data include:
- Email address
- Phone number
The goal is to adapt to rapidly changing ways that organizations utilize technology to harvest information about individuals.
Article 9 of the GDPR requirements reference sensitive personal data as belonging to “special categories of personal data” which includes genetic and biometric data used to identify an individual uniquely.
GDPR FAQ 3. What types of business does GDPR affect?
Answer: The GDPR impacts more businesses than most people realize. The law applies to everyone who has EU customers and clients as well as any company whose clients’ clients live in EU. If the question is who is subject to GDPR, the answer is virtually everyone.
GDPR FAQ 4: If I don’t have EU clients/customers but my clients do, should I be GDPR compliant?
Answer: Yes. The standard is whether or not your company “actively pursues” EU residents, which encompasses a wide range of business behaviors, including:
- Accepting the currency of an EU country
- Offering shipping services to an EU country
- Owning a website with a domain suffix associated with an EU country
- Providing marketing in the language of an EU country
GDPR FAQ 5: Do all organizations now have to appoint a Data Protection Officer (DPO)?
Answer: It depends on what kind of organization you are running.
Virtually every public sector entity will be mandated by the GDPR to appoint a Data Protection Officer. For private sector companies, the law specifies a test to determine whether the hiring of a DPO is optional or mandatory.
The designation of a DPO will only be mandatory if the core activities of the private sector organization consist of (i) processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale; or (ii) processing on a large scale of special categories of data or data relating to criminal convictions and offenses.
The regulations show a clear preference for all organizations to utilize the best practice of hiring a DPO regardless of the circumstances. Additionally, members are encouraged to implement broader DPO requirements than those set forth by law.
GDPR FAQ 6: What rights will individuals have under GDPR?
Answer: All individuals will enjoy heightened rights under the GDPR, in addition to those already set forth by current law. A major new right is the right to object to automated processing (profiling) based upon legitimate interests. In response to one of the most FAQ, the right to be forgotten will become the right to erasure, which enables data customers to request personal data to be erased “without undue delay”.
Finally, the new law requires that all Subject Access Requests must now be free of charge.
GDPR FAQ 7: What if my business is related to children?
Answer: The GDPR will substantially impact the way in which adult citizens’ rights to personal data. The changes are even more comprehensive when it comes to protecting the privacy of children. The GDPR introduces the age of sixteen as the minimum age at which a minor can join an online service without obtaining parental consent.
GDPR FAQ 8: In light of Brexit, will the UK still be subject to the GDPR?
Answer: Yes, despite the many intricate issues involving Brexit, the UK will still adopt the GDPR standards along with the rest of the EU. The UK is committed to passing a virtually identical law to deal with post-Brexit concerns called the Data Protection Act.
GDPR FAQ 9: How does the GDPR affect data breaches?
Answer: The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data”. This definition extends to an incident resulting in even a temporary loss of personal data.
The duties of organizations under GDPR are clear. Upon any data breach, as defined above, there is an absolute requirement to notify data protection authorities without undue delay, within 72 hours of identification. The requirement of notification applies even to the plausibility of a breach of personal data that may present a risk to data subjects. Organizations must communicate information regarding breaches to affected data subjects without undue delay. There is some question as to the definition of when the organization becomes aware of the breach of the law, which will undoubtedly be the subject of vigorous litigation shortly.
GDPR FAQ 10: What if a company fails to follow the GPDR’s requirements?
Answer: The penalties for failing to adhere to the mandates of the GDPR are substantial. Under new GDPR regulations, organizations can be fined up to 10,000,000 Euro or 2% of worldwide annual turnover, whichever is higher, for failure to adequately notify the necessary parties of a personal data breach.
Also, organizations may be subject to fines for failing to take sufficient security measures to protect personal data; these fines can be up to 20,000,000 Euro or 4% of worldwide turnover, whichever is higher. These fines are reserved for the most extreme cases where the failure includes a breach of fundamental data protection principles.
GDPR FAQ 11: Do GDPR apply for both big and small business?
Answer: Contrary to the popular misconception among many FAQ sections online, the GDPR standards will apply to any business that processes the personal data of EU citizens, including those with fewer than 250 employees. There is no exemption for any organization based on size or function.
GDPR FAQ 12: When will the GDPR come into effect?
Answer: The GDPR will formally go into effect on May 25, 2018.
The changes GDPR demands are above all fair and geared towards the protection of consumer rights. The new regulations not only apply to those businesses operating in Europe but also to any company globally interacting with consumers who reside in Europe. Every e-commerce transaction must comply with GDPR, and every company will need a crystal clear data policy in 2018. The GDPR FAQ is a perfect way to understand to what extent it affects eCommerce and how to start organizing your company’s data processes to reach compliance.
Not sure of the steps to be GDPR compliant? Check out our recent post on GDPR checklist for eCommerce.
Also published on Medium.