The General Data Protection Regulation (GDPR) is a new law focused on the protection of personal data for all residents of countries within the European Union. This new legislation aims to give individuals greater control over their personal data and to change the approach of organizations across the world towards data privacy. The GDPR goes into effect on 25-May-2018.
It’s important to note that at LBDesign, we are not lawyers. This blog post should not be construed as legal advice. We highly recommend that you consult with your own attorneys about how the GDPR will affect you and your organization.
A Law with Global Jurisdiction
The GDPR claims global jurisdiction over the personal data of residents of the European Union. According to the GDPR, personal data is any information that can lead to the identification of an individual. Data that has been de-identified, pseudonymized, and which can be used to re-identify a person is considered personal data. Data that has been anonymized in such a way that it is irreversible is no longer considered personal data. Examples of personal data include an IP address, name, email, address, financial data, and religious or political views, to name a few.
The law gives rights to residents in the following ways:
- information about the processing of their personal data
- obtain access to the personal data held about them
- ask for incorrect, inaccurate or incomplete personal data to be corrected
- request that personal data be erased when it’s no longer needed or if processing it is unlawful
- object to the processing of their personal data for marketing purposes or on grounds relating to their particular situation
- request the restriction of the processing of their personal data in specific cases
- receive their personal data in a machine-readable format and send it to another controller (‘data portability’)
- request that decisions based on automated processing concerning them or significantly affecting them and based on their personal data are made by natural persons, not only by computers. Residents also have the right to express their point of view and to contest the decision.
Stepping Away from Implied Consent – Towards Explicit Consent
The law states that implied consent for storing data is no longer acceptable. Explicit consent must be obtained in order for data to be collected.
Companies must have clear policies for handling, storing, reporting on, and deleting personal data. Furthermore, companies and organizations are responsible for the data storage of the tools they use, even if third parties collect the data.
A Big Stick and Some Ambiguity
In short, failure to comply with the new GDPR guidelines can mean a massive fine of 4% of global profits or €20 million, whichever is greater. That’s a big hit for a company of any size to take!
On top of the significant fine, this new law is vague in some of its terminology, leaving room for ambiguity. At this point, there is uncertainty how this law will be interpreted by regulators and courts. Moreover, there is room in the legislation for members states of the European Union to establish additional, more specific and restrictive regulations on top of the GDPR.
We’re Still Researching the GDPR
At LBDesign, we’re still researching the GDPR and what it will mean for us, and for our clients. We’ve been speaking with lawyers about implications of the GDPR for businesses and non-profits in the US, UK and beyond. We will keep our clients apprised of key concerns in the roll out of the GDPR.