On September 26, Priori technology and privacy attorney, Sid Rao, led a roundtable discussion for in-house counsel on compliance with the General Data Protection Regulation (GDPR), which comes into effect on May 25, 2018.
Key takeaways from the first part of the event are below:
1. GDPR Basics
GDPR vs. Data Protection Directive. The Data Protection Directive is the predecessor to the General Data Protection Regulation (GDPR). Privacy is a fundamental right under both regimes, but the GDPR features a few key changes:
- Scope of application. The Data Directive was geographically defined whereas the GDPR is activities-based. As a result, GDPR is a more global regulation because it affects anyone collecting or processing the data of those who reside in the European Union.
- Directive vs. Regulation. In the EU, a directive asks member states to pass implementing legislation, but a regulation is, itself, the law. Accordingly, the data directive operated as a floor for member states’ own specific legislation, which meant practitioners needed to know the ins and outs of each state’s legislation. When the GDPR becomes fully enforceable, however, it will be an EU-wide law, creating a single digital marketplace.
- Enforcement & Fines. The fines under the GDPR are both draconian and discretionary. There are two tiers of possible fines: (a) 20M Euros or 4% of global revenue, whichever is higher; and 10M Euros or 2% of global revenue, whichever is higher. As an example of how the fine regime is different under GDPR than the Data Directive: in November 2016, there was a hack of Tesco Banking in the UK where roughly 2.5M Pounds were stolen from customer accounts. At the time, the UK Data Protection Act had a 500,000 Pound cap on fines. Experts today predict that the incident under GDPR would have been a 1.9B Euro fine.
- Reporting. Under the Data Directive, companies were required to report in advance high risk data processing activities to various member Data Protection Authorities for approval. Under GDPR, however, companies maintain an internal record of data processing activities to be made available to regulators upon request.
2. When does the GDPR Apply a Company?
The central question here is whether a company is collecting or processing the personal data of European residents. If the answer is yes in any way, then GDPR applies to that company. It is useful to think of this in terms of activity: rather than doing an inventory of all company data, consider doing an inventory of the different types of processing activities that the company engages in. The French Data Protection Authority’s Article 30 template provides a helpful example of this type of analysis..
3. Key Concepts
GDPR focuses on basic principles: lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality of data. The principles are broad, and the GDPR is silent on their implementation. Key concepts are below:
Privacy by Design. GDPR Article 25 mandates privacy by design, but doesn't outline what that means in terms of implementation. What it does say is that companies should consider what technology is state of the art and the nature/scope/context of processing in order to make fact-sensitive decisions. Many companies think of privacy by design as merely a question of updating their technology and encryption, but it’s important to consider implementation of the principles into your system rather than simply updates and upgrades. For example, a social media company might accomplish privacy by design by just having profiles automatically default to the highest level privacy – this would be privacy by design, but not a pure technology fix.
Valid Purpose. Under the GDPR, companies can only collect or process data if they have a valid legal basis for doing it, of which there are six categories: (a) the data subject has consented; (b) contractual necessity; (c) compliance with legal obligations; (d) vital interest (i.e. life and death scenarios); (e) public interest; or (f) legitimate interest.
Special Data. Like the Data Directive, the GDPR elevates certain types of data to special status, including religion, political affiliation and ethnicity. It’s important to bear in mind that seemingly innocuous information could reveal a political position and hence, be considered a special category of data.
Rights of Data Subject. Data subjects have a bundle of rights, including rights of access (Article 15), rights of rectification to correct data (Article 16), rights of erasure, rights to restrict processing and rights to give notice. As context for those rights, GDPR is concerned with data broadly and not privacy narrowly.