The European Union’s General Data Protection Regulation (GDPR) will go into effect May 25, governing the way organizations use and store personal information. The regulation is centered on privacy and EU citizens’ rights to protect their privacy. As a result, organizations are required to fundamentally transform the way they do business to build in mechanisms that will preserve these rights in a seamless and demonstrable manner.
While the regulation focuses on the rights of EU citizens and residents, the global nature of business means its impact will be felt by companies worldwide. Whether or not they have major European operations, any organization that does or has done business with European citizens will be subject to GDPR enforcement.
Noncompliant organizations will be subject to penalties on a tiered scale. While there is still much to be learned about how each violation will be defined, the fine for less serious infractions is set at the greater of €10 million (about $12 million) or 2% of a company’s global annual revenue, and the greater of €20 million (about $24 million) or 4% of global annual revenue for more serious violations.
The regulation comprises 99 articles, each with multiple recitals or subcomponents. It is extremely dense and much of it is vague, offering little in terms of exact guidance as to compliance. What is clear is that EU citizens have specific enumerated rights relating to their privacy and personally identifiable information, and organizations now have the burden of consistently demonstrating they are protecting those rights.
Perhaps the most important takeaway is that, under GDPR, personal data can be many different forms of identifiable information—email, name, phone number, health information, biometric information, religion, race, ethnic origin, IP address, cookies, political affiliation, and more. The list is expansive.
To steer clear of penalties and lawsuits, organizations must have a firm understanding of these five personal consent provisions:
1. Right to be forgotten.
Known formally as the “right to erasure,” this provision gives individuals the right to request that their personally identifiable information be deleted or removed “without undue delay.” Individuals may revoke consent for their information to be collected, stored and processed at any point. Additionally, if personal data has become public, the data controller must notify any other parties that may have the data of the request for erasure.
2. Right to opt out.
Perhaps more accurately considered a matter of opting in, the regulation requires that individuals actively consent to sharing their personal information with an organization. This mandate goes above and beyond what many companies are used to, specifically noting that “silence, pre-ticked boxes or inactivity” do not constitute consent. Organizations can no longer automatically retain personal identifiable information or give out cookies. Instead, they must request permission to do so in clearly understandable language.
3. Right of access.
At any point, individuals may request and receive information detailing what personal data of theirs is being processed and for what purposes. This right helps individuals ensure the lawful collection and processing of their personal information. Under GDPR, organizations must provide data subjects with a copy of the requested information within one month of the request.
4. Right to data portability.
Not only do individuals have the right to access their data, they also have the right to use their personal data across multiple services. At the request of the individual, organizations must transfer a subject’s personal information to another controller “without hindrance” in a way that is safe and secure. Where “technically feasible,” a data-controlling organization must transmit the data directly to another organization. For example, the user of a ride-hailing service is entitled to request that his or her data be transmitted directly to a competing service, and a bank customer may request that their information be shared with a financial planning company.
5. Right to object.
At any point, EU citizens may object to an organization’s handling of their personal data. The regulation specifically names direct marketing and profiling as personal data uses to which individuals may object. Upon receiving an objection, organizations must provide documentation of how the personal information is being processed and used, which requires a timely assessment of what data is being collected, where it is located and how it is being used at any time. Should the individual request their data be removed, organizations must not only do so, but also demonstrate that the requested data is no longer being used.
Despite its complexities and uncertainties, organizations have had two years to prepare for the regulation, so it is unlikely that there will be much leniency if and when fines occur. Legal, technical and organizational expertise will be required to ensure compliance, as the regulation encourages a significant shift in the way companies collect and use customer data.