Whether you’re a fan of increased regulation or its detractor, the GDPR will become a reality a lot of businesses will have to learn to live with. How many businesses? That’s a tough question to answer, but a good place to start when trying to understand how significant of a change the GDPR is. But first, a short disclaimer: this isn’t a compliance guide for the GDPR, and you shouldn’t consider it as legal advice. For compliance assistance, look for legal professionals.
Who Needs to Worry About GDPR?
Everyone who already had to comply with European data regulations — the Directive — should already be familiar with the application of the GDPR. It’s stated in the Directive that it applies to organisations with an establishment in one or more EU member states, and which process personal data in the context of that establishment. It also applied to entities from outside of the EU if they used “a means of processing” within the EU.
The real change in the scope of the application comes from the establishment of the market principle in the GDPR. So, if a company doesn’t have an establishment in the EU, and it doesn’t use a means of processing within the EU, it could still be subject to GDPR if it markets its products or services in the EU. The same goes for organisations that monitor the behavior of EU residents — they will be subject to the GDPR whether they have an establishment in the EU or not.
It’s easy to see from this example alone how big of a change the GDPR will bring. Companies that were able to skirt the EU regulations by being established somewhere else and not using EU-based processing will not be able to do it anymore if they plan to still do business in the European market.
What Type of Data Is Affected?
The definition of data in the GDPR is very similar to those in the Directive. The Regulation is concerned with personal data, information about an identified or identifiable person. An identifiable person is a person who can be identified by the use an identifier such as the name, ID number, and other factors that describe the person and any of its identities (economic, mental, physical, or genetic, for example).
Within personal data, there is also sensitive personal data, such as data about a person’s ethnicity, political opinion, religious beliefs, health, as well as genetic and biometric data. Genetic and biometric data are explicitly mentioned in the GDPR and were not present in the Directive.
For marketers, however, it’s more important to note that location data and online identifiers are now considered to be personal data. That means that organisations that processed that data are now subject to the GDPR laws if they operate on the EU market.
Data that’s been fully anonymised, and that provide no opportunity for identification of any person, is not considered to be personal data and does not fall under the jurisdiction of GDPR. There’s also the possibility to pseudonymise data and make it unable to identify a person without the use of a key. The GDPR encourages the use of pseudonymising, and it requires lower levels of protection for that kind of data.
When Can Data Be Processed?
To be in accordance with the Regulation, any data processing that takes place needs to have a lawful basis; it needs to be transparent, and it needs to be for a specific purpose. The lawful bases for processing personal data include:
- Contractual necessity — data processing is permitted if it’s performed in the context of executing or entering a contract;
- Life or death situations — data processing is permitted if it’s performed in the interest of saving someone’s life;
- Legitimate controllers’ interests — if the controller has legitimate interests to process data, it can do so lawfully, as long as it doesn’t violate the rights of the data subject;
- Compliance with legal obligations — processing is lawful if it’s necessary for compliance with legal obligations under EU law or state laws of EU members;
- Public interest — processing is legal if it’s done in the context of public interest;
- Additional bases as determined by member states — states members to the EU will have the power, under the GDPR, to establish additional lawful bases;
- Consent — arguably the most important basis for lawful data processing for marketers, the GDPR has established new standards for what consent is, which will be discussed in the next part.
What’s New with Consent?
As a lawful basis for data processing, consent enables organisations to process data because the data subject — the person to whom the personal data pertains — has given them permission to process data. For consent to be valid, it needs to be informed, given freely, and specific.
If you want to make sure that you’re informing the subjects when asking for consent, at the very least you should provide the following information to them:
- The nature of data processing explained in plain language;
- The purposes of data processing;
- The name of the controller, i.e. the organisation that will request the processing.
Consent that’s been given without presenting the subject with real choice, or without offering them to refuse consent without penalties is considered not to be freely given. In situations where’s an imbalance of power between the subject and the controller, consent is always presumed to not have been given freely. Tying the performance of a contract to data subject’s willingness to give consent for unnecessary data processing is another way to make consent not given freely.
Specific consent, in EU practice, means that the consent is given for specific data processing. Blanket consent is not considered specific.
Finally, consent needs to be given by a statement or a clear, affirmative action. This means that silence, inactivity, failure to opt-out, or any other passive way of acquiring consent will not yield consent that’s considered valid.
Consent Withdrawal and Other Rights
Data subjects, the people whose data organisations process, have a variety of rights under the GDPR.
In practice, people were already able to withdraw the consent to data processing, even though the Directive didn’t spell out their right to do it. The GDPR does, and it also stipulates that businesses need to make the consent withdrawal process easy.
It was previously implied that subjects have a right to the basic information about why their data is being processed. However, they also have the right to know where their data is being processed, the categories of data being processed, and whether the data will be shared and with what type of organisations. The GDPR expands those rights to include access to the following information:
- How long the data will be stored;
- The options for exercising the rights of erasure of data, rectification, or restriction of processing;
- The options for exercising the rights to file a complaint;
- The source of data, if it wasn’t collected from the subject;
- The existence of automated processing if it affects the subject.
The right of controllers to charge fees for access applications has been almost completely removed. In case the personal data being processed is inaccurate, the subject has the right to have their data corrected.
It was previously possible for subjects to have their data erased or blocked if the controller didn’t comply with the Directive. In GDPR, subjects can request their data be erased if it’s no longer needed for their original purpose, if the consent was withdrawn (if the consent was the basis for processing), if the subjects object, if the data was processed unlawfully, or if it’s needed for compliance with EU or member states’ laws.
Similarly, subjects have broader rights when it comes to restrictions on data processing. They can request a restriction if the accuracy of the data in contested, if the processing is unlawful, if the controller doesn’t need the data for original purposes but still needs them for their legal rights, or if they’re waiting for their erasure request to be approved.
Subjects have the right to object to data processing if it’s being performed on the basis of public interest or controller’s interests. In those cases, the controller should stop processing unless they’re able to demonstrate legitimate grounds for processing, or need to continue processing because it relates to their legal rights.
Subjects also have a separate right to object to the processing of their data for the purposes of direct marketing, as well as profiling, but that’s a right they have had under the Directive. The same goes for data processed for scientific, historical, or statistical purposes. And controllers need to inform the subjects of their right to object.
Netfully Software Development are fully up to date with all GDPR laws and regulations. Get in touch today if you need any advice on how GDPR may impact your business.