General Data Protection Regulation (GDPR) is a new regulation that will be legally enforceable across all EU member states on 25th May 2018 and is created to replace the current directive to give protection to individuals on the processing of their personal data.
The regulation will cover any company, irrespective of their location if they process the data of an EU citizen, including the UK post-Brexit. Penalties for breaches could be as much as €20 Million (or 4% of annual global turnover). Here is a brief 10 point guide to the legislation:
The definition of personal data is extremely broad, as stated in this definition:
means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
However, it also includes so called ‘indirect identifiers’, which when combined with other data might identify an individual. So, for example, by using IP Address, user id, Geo locale, OS, Browser, time of day and content being consumed, a company could theoretically and with some accuracy identify individual members of a household and whether they were at home or work.
2. Communication and consent
The conditions for consent have been strengthened, and companies will no longer be able to use long illegible terms and conditions full of legalese. It must be as easy to withdraw consent as it is to give it.
GDPR imposes a number of additional communication requirements. There is a requirement with processing this data to communicate information to the individual:
- data protection officer’s contact details
- details of the legal basis for processing (including any legitimate interests)
- how long data will be stored
- how to object to processing
- explanation of how profiling is done
Importantly, an exception applies where the provision of information “proves impossible or would involve a disproportionate effort”. In those circumstances, the organisation needs to take other “appropriate measures” instead, including making the relevant information publicly available. So privacy notices and data usage policies will need to be published in plain english on a company’s website.
GDPR permits data subjects to object to the processing of their personal data on a legitimate grounds basis. But, rather than the data subject having to demonstrate justified grounds for objecting, the controller must demonstrate “compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject”.
3. Breach notification
Breach notification will become mandatory, where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. However, there is an exemption if there is unlikely to be a high risk in to people’s rights or freedoms.
4. Right to Access
GDPR includes the right for data subjects to obtain confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. A copy of the personal data, should be provided free of charge, in an electronic format.
5. Right to be Forgotten
A data subject has the right to request the deletion of his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
6. Data Portability
GDPR introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine readable format’ and have the right to transmit that data to another controller.
There will be a tiered approach to fines, for example; a company might be fined a fraction of the 4% possible for not notifying the supervising authority and/or data subject about a breach, not conducting an impact assessment or not having sufficient customer consent to process data. Repeated or multiple infringements will then likely increment up to the maximum permissible.
8. Non-EU businesses
Non-EU businesses processing the data of EU citizens will have to appoint a representative in the EU and the representative would carry liability for GDPR infringements. Expect strong contractual obligations with the representative, compulsory audits and costs associated to the size of the risk.
9. Lawful bases
Under GDPR you must have a lawful basis in order to process personal data, these are:
- Consent – the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract – the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation – the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests – the processing is necessary to protect someone’s life.
- Public task – the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests – the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
10. GDPR & ePrivacy
Eprivacy is a complimentary piece of European legislation to GDPR and is designed to address specific scenarios that exist in electronic communications. Whereas GDPR is there to protect personal data, ePrivacy is more in respect to a person’s private life and ensuring a users privacy is protected during online interactions. In particular it acts to clarify what companies can do in respect to unsolicited marketing, cookies and confidentiality. The rules around ePrivacy are still being defined (it will come in later than GDPR) and may affect, for example Marketers being able to send emails or texts without prior permission from the account holder.
Smartology as a solution
Smartology’s cookie free solution enables clients to engage with an audience at the right time. The advertising industry has increasingly relied on retargeting and segmentation, both dependent on tracking an individual and their browsing habits, to target an audience. Smartology never has and never will process a user’s online data to target ads, our solution enables the advertiser to reach their target audience when they are most engaged with a subject using Natural Language Processing to get the optimal positioning of advertiser messaging into publisher content.
ICO (Information Commissioners Office)