Time Estimate

Topics

Get to Know EU Privacy Law

Learning Objectives

After completing this unit, you’ll be able to:

  • Explain the basics of the General Data Privacy Regulation (GDPR).
  • Define key privacy terms.
  • Describe how the GDPR changes EU privacy law.

Privacy as a Fundamental Right

For several decades, Europe has been a trailblazer on issues of privacy and data protection. Now, the European Union (EU) is again breaking new ground with the passage of a comprehensive privacy law called the General Data Protection Regulation (GDPR). If your business collects, stores, or uses personal information about European residents, then the GDPR can have a profound impact on your business processes.

A belief in the fundamental right to privacy has been deeply ingrained in European culture since the end of World War II. One of the world’s first major privacy laws encapsulated that belief: the EU’s Data Protection Directive, adopted in 1995. The directive required companies and governments to be transparent about the personal data they process, have a legitimate purpose for their use of that data, and exercise care in handling data.

The directive was adequate for technology as it existed in 1995, but rapid changes in technology in the ensuing years necessitated an update. EU legislators adopted the GDPR to keep privacy law relevant in a world where far more data is collected than ever before. They also wanted to ensure a uniform law existed across the EU and avoid major differences between countries. The GDPR significantly expands the privacy rights granted to individuals, and it places many new obligations on organizations that handle personal information. This module prepares you for these requirements, which are effective as of May 25, 2018.

European Union flag stars around a lock

Key Terms

Before we get into the specifics of the GDPR, let’s go over some basic definitions.

Term
Definition
Example
Data Subject
A “natural person” who can be directly or indirectly identified by information such as a name, an identification number, location data, an online identifier (such as a username), or their physical, genetic, or other identity.
Marie Dubois
Personal Data
Any information relating to an identified or identifiable data subject.
Woman. Age 48. Ph#: 33 1 7210 940. Address: 99 Place de l'Étoile, 75008 Paris, France. Likes hats. Reads Le Monde online every day.
Sensitive Personal Data
Personal data pertaining to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, information about health, sex life and sexual orientation, and genetic or biometric data.
Member of En Marche! Party. Catholic. Broke leg last year. Copy of fingerprints and retinal scan.
Processing
Anything that is done to or with personal data.
Any collection, storage, transfer, sharing, modification, use, or deletion of personal data.
Controller
An entity that determines the purposes and means of processing of personal data.
Grande Banque du Nord is a financial institution that is providing Marie with a mortgage to buy a house. When Marie first registers on Grande Banque's website to get more information about mortgages, Grande Banque becomes a controller of the personal data Marie provides.
Processor
An entity that processes personal data based on the instructions of a controller.
Salesforce becomes a processor of Marie’s personal data when Grande Banque uploads her data to its Sales Cloud instance.
Pseudonymous Data
Personal data that cannot be tied to a specific data subject without additional information that is stored separately, with technological measures to ensure the data is not combined with that additional information.
When Marie visits the Grande Banque website community hosted on Community Cloud to learn more about the mortgage process, the system records her IP address in hashed form and links it to the pages that Marie views. The hashed IP address is considered pseudonymous data, because, although the hashed IP address alone does not identify Marie, it’s still possible to link it to other information that relates to Marie.
Anonymous Data
Data that cannot ever be connected to an identified or identifiable person.
The Grande Banque website asks people to leave reviews. The system does not collect any information from reviewers—not even IP addresses. The reviews themselves can be considered anonymous.

So What Does the GDPR Require?

OK, now that we’ve got everything defined, let’s talk about what the GDPR actually says. In a nutshell, the GDPR establishes rules for how companies, governments, and other entities can process the personal data of data subjects who are in the EU. Many of these rules already existed under previous EU law, but some rules are now stricter, some are less burdensome, and some are brand new. The rules reach beyond the physical borders of the EU and apply to any organization, regardless of whether it has a physical presence in the EU, if it offers goods or services to people in the EU, or if it tracks the behavior of those people (including through the use of cookies).

World map

Here are some of the key changes that GDPR brings about:

Basis of data processing: In order to process personal data, organizations must have a lawful basis to process the data, such as to fulfill the performance of an agreement with the data subject or by obtaining the consent of a data subject. To the extent that consent is the only lawful basis, that consent must be freely given, specific, informed, and unambiguous. In other words, organizations must give data subjects a genuine choice whether to allow their data to be processed, and data subjects must agree via a clear statement or affirmative action. Requiring data subjects to grant broad consent to processing of their personal data when they register to use a service may not constitute freely given consent beyond processing that is necessary for providing the service. Additionally, organizations must be able to prove that they obtained valid consent.

Compliance obligations: Previous EU law directly regulated primarily data controllers; however, the GDPR places numerous direct compliance obligations on data processors. This includes requirements that processors only process personal data in accordance with the controller’s instructions, not share data with other vendors without consent of the controller, and implement appropriate security measures (which we discuss further in the next unit). Additionally, the law imposes several more compliance obligations on both data controllers and data processors to implement appropriate policies, assess the privacy impact of changes to business practices, and keep detailed records on data activities.

Breach notification: Data controllers must report any data breach to their data protection authority as soon as possible and no later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in any harm to the data subjects. If there is a high risk of harm, data controllers must report data breaches to the data subjects as soon as possible. Data processors must also notify data controllers of data breaches as soon as possible.

Data protection officer: Any organization that regularly processes sensitive personal data on a large scale or is involved in regular and systematic monitoring of data subjects must appoint a data protection officer to ensure the organization complies with privacy law.

Enforcement: Under previous EU law, data protection authorities in Europe had limited ability to punish companies that violated privacy law. Under the GDPR, authorities can fine companies up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred.

Picture of pile of Euros

Use of processors: Data controllers must have written agreements with data processors that ensure processors act only in accordance with the controller’s instructions, implement appropriate security measures to protect the data, assist the controller with its compliance obligations, return or destroy personal data at the end of the relationship, and comply with the provisions of GDPR applicable to processors.

Profiling: The GDPR places certain restrictions on the automated processing of personal data to evaluate a data subject—or, “profiling.” This includes monitoring or tracking data subjects to analyze or predict work performance, economic situation, health, behavior, preferences, or attitudes. Automated processes that can result in a significant impact on an individual, such as denial of a job or credit application, are considered high risk and are permitted only in limited cases.

Note

Note

The GDPR retains existing restrictions on cross-border transfers of personal data to countries whose privacy laws are considered “inadequate,” unless the organizations transferring and receiving the data take additional steps to ensure it is protected. In addition to endorsing existing measures like binding corporate rules and standard contractual clauses, the GDPR states that adherence to association codes of conduct or data protection certification programs approved by regulators can also be acceptable transfer mechanisms.

Data subject rights: The GDPR provides data subjects with a broad range of rights regarding their personal data. Data subjects can request that data controllers provide them with access to all personal data the controller maintains about them, and they can request that the data be corrected, deleted, frozen, or made portable (for example, downloaded). Additionally, they can object to certain processing and revoke previously given consent. We talk more about these rights in the next unit.

One-stop-shop: The GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring such organizations to work with a lead supervisory authority for cross-border data protection issues.

Now that you are familiar with the GDPR and why it’s important, in the next unit we dive deeper into how these requirements actually impact organizations that process personal data.

Resources

retargeting