With great data comes great responsibility. To help you stay ahead of the shifting GDPR guidelines, we put together a guide to staying compliant in 2020.
Mario Alfaro, January 7th, 2020
In today's digital society, the way companies handle data is under scrutiny. Privacy feels more like a luxury rather than a right, where data breaches frequently expose the personal data of millions of people, and companies sell it to the highest bidder.
At best such breaches result in unwanted advertising. At worst, people's private information is sold on the dark web. Either way, it is an unsettling thought, and to address the growing concerns over its citizens' data, the European Union introduced the General Data Protection Regulation (GDPR).
This regulation addresses how companies should handle their customers' data, as well as the rights data subjects have over the way it is used. The consequences for not complying with the new regulation are, understandably, quite strict. To help you navigate through GDPR and to avoid millions in fines, the following guide will cover the following chapters:
The European Commission sought to define new and more effective objectives for data protection in Europe, and GDPR was a way to adapt and transform existing laws to address emerging issues in an increasingly digital world.
The laws are designed to give EU residents control over their personal information and create a regulatory environment for businesses and residents in which there is a clear framework of rules regarding the handling of personal data.
By setting a new standard for personal data handling, the companies that handle the data were faced with the challenge of aligning their systems and processes with the new laws.
Personal data is the core subject of GDPR. While there is no definitive list of what is or what is not considered personal information, Article 4(1) of the GDPR defines it as “any information relating to an identified or identifiable natural person (data subject).”
The GDPR also specifies that:
“An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
What the GDPR addresses, in this case, is any information that makes it possible to identify an individual. There are, however, disputes over what information can be used to identify a person.
For example, political opinions or an IP address could be considered as personal information, but this is also a matter of perspective. Defining what information can be classified as personal data is essential to staying compliant.
When it comes to the protection of consumers' data, the GDPR sees companies and organizations as responsible.
The GDPR applies to all businesses and organizations established in the European Union, regardless of whether personal data is processed in the European Union or not. The essence of this regulation is to give the power over personal data back to the people, and to make data processing much more transparent and lawful.
One of the many requirements under GDPR is that all companies and businesses must keep a record (e.g. in form of registry) of their personal data processing activities.
The idea behind the requirements set in GDPR is to get companies to think about privacy and data security questions when providing the service or developing products. So, privacy would become an integral part of the service or goods offered.
GDPR demands changes in company paradigms and continues to urge companies to prioritize the protection of personal data. Below are the first steps to doing so:
The first step to fully complying with GDPR legislation is understanding the legal requirements of the GDPR. For starters, it is recommended that a compliance audit be done to test whether a business is fully compliant with GDPR or not.
The main thing is to have well-trained and informed employees, as well as a person who will be responsible for data protection questions. This individual could be a Data Protection Officer (some companies are obliged to appoint a DPO), whose task would be to explain the regulation and help to apply it to business processes.
All European countries have a Data Protection Authority. This is the body responsible for supervising the enforcement of GDPR regulation. One tool to help companies to demonstrate their compliance with Data Protection Authorities and keep track of processing in general is Data Processing Registry. Each company or organization needs to create a Data Processing Register to keep a record of all processing activities concerning personal data. This record (e.g. registry) is obligatory under GDPR.
The classification and evaluation of customer data are of vital importance. This means knowing who processes and controls information, what types of data are processed, how long it is retained etc. as well as assessing how this information is protected.
Applying security policies and evaluating data life cycles, from when it is collected until its destruction, is just a part of this critical step. It might also be necessary to complete a Data Protection Impact Assessment, Legitimate Interest Assessments, etc.
Understanding how to stay compliant as a business will be essential in 2020, and failure to do so comes with substantial consequences. Non-compliance can result in penalties up to €20 million or up to 4% of a company's annual turnover.
The consequences of not being GDPR compliant can be fines but also loss of trust.
Fines are calculated based on the severity of the breach. The most extreme cases involve infringement of a person’s data rights, where there has been an exchange of personal information without the authorization of the affected subject, or when the companies and organizations have not put the appropriate procedures to ensure the security of that personal information.
While monetary fines are measurable, trustworthiness is not. Today the trust that consumers place in companies is incalculable, and it can define the value of your business relationships. A breach could mean the loss of clients and partners, so securing their trust is invaluable for businesses.
Below are a few landmark examples of GDPR non-compliance fines in recent years.
British Airways paid one of the highest GDPR fines in 2018. The company faced a fine of £183 million for a data breach, during which British Airways web users were redirected from the official website to a phishing site.
As a result, personal data from over 500,000 people was compromised. The Information Commissioner's Office (ICO), the data protection authority of the UK, imposed a fine equivalent to 1.5% of the worldwide earnings of the company.
Like British Airways, the Mariott hotel chain suffered a data breach that landed them a steep GDPR fine of €110m. Their security breach resulted in over 380 million customers' data being leaked, including names, emails, phone numbers, passport details, and bank account information.
The French Data Protection Authority (CNIL) found Google guilty of breaching GDPR guidelines, resulting in a fine of €50m. The CNIL reported Google's "lack of transparency, inadequate information, and lack of valid consent regarding ad personalization" as the reason for the charges. Google decided to appeal the decision, but there is still no decision about it.
Naturally, no company wants to pay minor, let alone severe, non-compliance fines. And while all GDPR guidelines are available online, navigating through and correctly implementing this regulation can be tricky.
To help you align your activities with the primary objective of the General Data Protection Regulation, which is to give the public more control over the information that companies have about them, here are some ways to ensure that data subject’s rights are considered.
Companies must obtain a valid legal basis for personal data processing. For example, permission (consent) from the customer can be used. In case consent is used, it is best to make the asking of the consent as clear and explicit as possible and to communicate why the data is gathered and how it will be used.
The right to access data means that your customers have the right to know what data you have about them as well as how you are using it. For example, this also includes records of how and when they have given consent for personal data use, so it's best to keep this information handy.
In addition to the right to access their data, GDPR grants data subjects the right to rectify their data if it is inaccurate or incomplete. Businesses have a month to respond to these requests, but in some cases they may refuse the request for rectification.
According to GDPR guidelines, individuals can also exercise their right to have their personal data deleted. This right is also known as the “right to be forgotten”, but it is necessary to point out that this right is not absolute and can only be exercised under certain circumstances.
For example, data subjects have the right to exercise their right to be forgotten when their personal data is no longer necessary for the purpose that was originally processed. Alternatively, they can exercise this right when a company is processing personal data for the purpose of direct marketing and the data subject opposes such processing.
The GDPR grants subjects the right to restrict the processing of personal data. This is a right that can be exercised as an alternative to the right to be forgotten and is used in certain circumstances.
For example, if an individual objects to the accuracy of their personal data the company is in the process of verifying the claim, individuals can exercise their right to restrict their personal data processing until correctness is ensured. Another example is if a company no longer needs the personal data of an individual, but the individual exercises his right to keep this personal data in order to exercise or defend against a legal claim.
GDPR gives individuals the possibility to exercise their right to data portability, this means that data subjects have the right to receive their personal data that they have given to a certain company in a way that is organized, structured, and machine-readable. For example, social networks are obliged to offer the possibility to the data subject to download their information in machine-readable format to be used with another social platform.
It is also possible that data subjects will ask the controllers of their personal data to send their personal data directly to another company.
The regulation allows data subjects to object to the processing of their personal data at any time. Specifically, it is possible to object to certain types of personal data processing, such as direct marketing.
Automated decision-making is an automated form of decision-making that uses profiling to exclude human participation. One example of this is profiling, an activity dedicated to analyzing the fundamental aspects of an individual's personality, behaviors, interests and daily habits to make predictions or decisions based on them.
Profiling is defined by the GDPR as:
“Any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”
Some organizations obtain personal information about people from cell phone behavior, social networks, internet searches, shopping behavior, and other sources. They analyze this information and use it to classify people into different groups. By analyzing these groups, companies find patterns in the behavior and personal characteristics of subjects.
In addition to acquiring consent for profiling activities, Article 22 of the GDPR has additional rules to protect data subjects. If one of your processing activities falls under Article 22 of GDPR, you should follow this:
These are just some of the measures or guidelines that companies and organizations must take into account to comply with the rules that GDPR imposes. To obtain more information about GDPR and ensure compliance it is advisable to hire a DPO.
With great data comes great responsibility.
In addition to accommodating the rights of data subjects’ when it comes to how their data is used, companies are also responsible for protecting this data against security breaches and fraud. One way to do this is by working with digital security and fraud prevention experts like Veriff.
Mario Alfaro is a Legal Counsel at Veriff. He has been working in the legal field since 2013. He has developed his career from the banking sector, immigration law and human rights, and now focused on issues related to data protection.