Get to Know EU Privacy Law
After completing this unit, you’ll be able to:
- Explain the basics of the General Data Protection Regulation (GDPR).
- Define key privacy terms.
- Describe how the GDPR changes EU privacy law.
Privacy as a Fundamental Right
For several decades, Europe has been a trailblazer on issues of privacy and data protection. Now, the European Union (EU) is again breaking new ground with the passage of a comprehensive privacy law called the General Data Protection Regulation (GDPR). If your business collects, stores, or uses personal information about European residents, then the GDPR can have a profound impact on your business processes.
A belief in the fundamental right to privacy has been deeply ingrained in European culture since the end of World War II. One of the world’s first major privacy laws encapsulated that belief: the EU’s Data Protection Directive, adopted in 1995. The directive required companies and governments to be transparent about the personal data they process, have a legitimate purpose for their use of that data, and exercise care in handling data.
The directive was adequate for technology as it existed in 1995, but rapid changes in technology in the ensuing years necessitated an update. EU legislators adopted the GDPR to keep privacy law relevant in a world where far more data is collected than ever before. They also wanted to ensure a uniform law existed across the EU and avoid major differences between countries. The GDPR went into effect on May 25, 2018, and significantly expanded the privacy rights granted to individuals. It also placed many new obligations on organizations that handle personal information.
Before we get into the specifics of the GDPR, let’s go over some basic definitions.
||A “natural person” who can be directly or indirectly identified by information such as a name, an identification number, location data, an online identifier (such as a username), or their physical, genetic, or other identity.
||Any information relating to an identified or identifiable data subject.
||Woman. Age 48. Ph#: 33 1 7210 940. Address: 99 Place de l'Étoile, 75008 Paris, France. Likes hats. Reads Le Monde online every day.
|Sensitive Personal Data
||Personal data pertaining to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, information about health, sex life and sexual orientation, and genetic or biometric data.
||Member of En Marche! Party. Catholic. Broke leg last year. Copy of fingerprints and retinal scan.
||Anything that is done to or with personal data.
||Any collection, storage, transfer, sharing, modification, use, or deletion of personal data.
||An entity that determines the purposes and means of processing of personal data.
||Grande Banque du Nord is a financial institution that is providing Marie with a mortgage to buy a house. When Marie first registers on Grande Banque's website to get more information about mortgages, Grande Banque becomes a controller of the personal data Marie provides.
||An entity that processes personal data based on the instructions of a controller.
||Salesforce becomes a processor of Marie’s personal data when Grande Banque uploads her data to its Sales Cloud instance.
||Personal data that cannot be tied to a specific data subject without additional information that is stored separately, with technological measures to ensure the data is not combined with that additional information.
||When Marie visits the Grande Banque website portal hosted on Experience Cloud to learn more about the mortgage process, the system records her IP address in hashed form and links it to the pages that Marie views. The hashed IP address is considered pseudonymous data, because, although the hashed IP address alone does not identify Marie, it’s still possible to link it to other information that relates to Marie.
||Data that cannot ever be connected to an identified or identifiable person.
||The Grande Banque website asks people to leave reviews. The system does not collect any information from reviewers—not even IP addresses. The reviews themselves can be considered anonymous.
So What Does the GDPR Require?
Here are some of the key changes that GDPR brings about:
Basis of data processing: In order to process personal data, organizations must have a lawful basis to process the data, such as to fulfill the performance of an agreement with the data subject or by obtaining the consent of a data subject. To the extent that consent is the only lawful basis, that consent must be freely given, specific, informed, and unambiguous. In other words, organizations must give data subjects a genuine choice whether to allow their data to be processed and must agree via a clear statement or affirmative action. Requiring data subjects to grant broad consent to processing of their personal data when they register to use a service may not constitute freely given consent beyond processing that is necessary for providing the service. Additionally, organizations must be able to prove that they have obtained valid consent.
Compliance obligations: Previous EU law directly regulated primarily data controllers; however, the GDPR places numerous direct compliance obligations on data processors. This includes requirements that processors only process data in accordance with the controller’s instructions, not share data with other vendors without the consent of the controller, and implement appropriate security measures (which we discuss further in the next unit). Additionally, the law imposes several more compliance obligations on both data controllers and data processors to implement appropriate policies, assess the privacy impact of changes to business practices, and keep detailed records on data activities.
Breach notification: Data controllers must report any data breach to their data protection authority as soon as possible and no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in any harm to the data subjects. If there is a high risk of harm, data controllers must report data breaches to the data subjects as soon as possible. Data processors must also notify data controllers of data breaches as soon as possible.
Data protection officer: Any organization that regularly processes sensitive personal data on a large scale or is involved in regular and systematic monitoring of data subjects must appoint a data protection officer to ensure the organization complies with privacy law.
Enforcement: Under previous EU law, data protection authorities in Europe had limited ability to punish companies that violated privacy law. Under the GDPR, authorities can fine companies up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred.
Use of processors: Data controllers must have written agreements with data processors that ensure processors act only in accordance with the controller’s instructions, implement appropriate security measures to protect the data, assist the controller with its compliance obligations, return or destroy personal data at the end of the relationship, and comply with the provisions of GDPR applicable to processors.
Profiling: The GDPR places certain restrictions on the automated processing of personal data to evaluate a data subject—or, “profiling.” This includes monitoring or tracking data subjects to analyze or predict work performance, economic situation, health, behavior, preferences, or attitudes. Automated processes that can result in a significant impact on an individual, such as denial of a job or credit application, are considered high risk and are permitted only in limited cases.
Data subject rights: The GDPR provides data subjects with a broad range of rights regarding their personal data. Data subjects can request that data controllers provide them with access to all personal data the controller maintains about them, and they can request that the data be corrected, deleted, frozen, or made portable (for example, downloaded). Additionally, they can object to certain processing and revoke previously given consent. We talk more about these rights in the next unit.
One-stop-shop: The GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring such organizations to work with a lead supervisory authority for cross-border data protection issues.
Now that you are familiar with the GDPR and why it’s important, in the next unit we dive deeper into how these requirements actually impact organizations that process personal data.