What is the GDPR?
The General Data Protection Regulation (“GDPR”) protects the privacy and security of personal data within the European Union (“EU”) and European Economic Area (“EEA”). The GDPR establishes a robust set of privacy and data protection rights concerning the collection and processing of personal data known as data subject rights.
The core tenants of GDPR include that the processing of personal data be lawful, fair, and transparent, and that a data subject be able to exercise certain rights with respect to their data, including the right to access, correct, and delete their data, among other things.
When did the GDPR take effect?
GDPR was adopted into law in 2016 and became subject to enforcement by EU member state Data Protection Authorities on April 24, 2018.
Compliance Tip: As of December 2020, the United Kingdom is no longer part of the EU and is thus outside the GDPR. However, the UK maintains similar data protection laws under the Data Protection Act 2018 enforced by the Information Commissioner’s Office (ICO).
Who does the GDPR regulate?
The GDPR regulates entities (e.g. businesses and other organizations) that collect and process EU personal data. Entities regulated under the GDPR may be “Controllers” or “Processors,” or both.
Controllers are entities that determine the “means and purposes” of processing personal data and are principally responsible for administering data subject rights. Often, Controllers are the entities that collect personal data directly from individuals and make the most important decisions about the personal data, including the purpose for which the data is collected. An example of a controller is an online retailer that collects personal data from a customer placing an order on its website.
Processors, on the other hand, receive and process personal data solely at the direction of a Controller and do not exercise further control over the data. Processors must administer data subject rights in accordance with the Controller’s instructions. An example of a processor is a web hosting company that processes the personal data of the online retailer’s customers as part of its service to the retailer.
Compliance Tip: The GDPR has no minimum thresholds for compliance. Thus, even small entities that deliberately collect the personal data of a single EU data subject will have to comply with all aspects of the GDPR with respect to that data subject. For this reason, some entities have taken steps to avoid the deliberate collection of EU personal data.
Compliance Tip: The GDPR has extraterritorial effect, which means that even entities outside the EU that deliberately collect and process EU data subject data are required to comply with the GDPR. This includes both entities that directly collect EU personal data as well as entities that merely receive and process such data on behalf of another entity. Many U.S. companies, both large and small, have obligations under the GDPR. International cooperation between the U.S. and EU provides for cross-border enforcement.
What is data processing?
Data processing includes virtually any activity that involves the collection, retention, use, disclosure, or disposal of personal data. The term “processing” is defined broadly and most activities involving EU personal data are regulated by the GDPR.
What is personal data?
“Personal data” is any information relating to an identified or identifiable person. Data is deemed identified if a set of data about a data subject has been associated with an identifier. An identifier is any data attribute that can be used to uniquely distinguish a single data subject from all others. For example, a person’s social security number, credit card number, email address, and telephone number are all typical examples of identifiers because they relate only to a specific individual.
In other cases, personal data may exist if data is “identifiable.” This means that there is a combination of data attributes within a set of data that, taken individually are not identifiers, but they can be used together in combination with other information to identify a specific individual from all others. If such a combination of data attributes makes an individual data subject identifiable or able to be identified, then the entire data set is considered personal data.
Compliance Tip: Regulators have taken a liberal approach to finding that data attributes are identifiable, so unless data is completely deidentified, anonymized, or aggregated in such a way that that it cannot be used to reidentify an individual, it should be treated as personal data.
What are the core data protection principles?
Article 5 sets forth the GDPR’s seven core principles:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimization
- Storage limitation
- Integrity and confidentiality (security)
What are data subject rights?
Under the GDPR, controllers and processors have an obligation to administer data subject rights. Such rights include:
- Right to be Informed
- Right of Access
- Right of Rectification and Completion
- Right to Erasure (Right to be Forgotten)
- Right to Restriction of Processing
- Right to Data Portability
- Right to Object
- Right to Obtain Human Intervention (in automated processing)
Compliance Tip: The rights of a data subject are not absolute and may be subject to certain limitations and restrictions. For example, a controller may refuse a request to be forgotten if erasing the information would adversely affect the freedom of expression, contradict a legal obligation, act against the public interest in the area of public health, act against the public interest in the area of scientific or historical research, or prohibit the establishment of a legal defense or other legal right.
How is the GDPR administered and enforced?
Compliance with GDPR is primarily enforced by the Data Protection Authority (“DPA”) of the EU member state in which the entity has its “main establishment.” Multinational companies that operate establishments in more than one-member state will only be subject to the data protection authority that acts as its “lead” supervisory authority. This does not mean that controllers are relieved of all obligations to the other twenty seven member states’ DPAs. In enforcement actions that span multiple jurisdictions, the lead supervisory authority will coordinate the enforcement efforts of all concerned DPAs.
Compliance Tip: Controllers and processers not “established” in the EU (as described above) must appoint a local representative under Article 27. The local representative acts on your behalf in dealings with supervisory authorities and maintains a copy of your records of processing activities.
Continuity of Law within the EU
Given that each member state interprets the GDPR independently at its local level, it is the responsibility of the European Data Protection Board (EDPB) to issue “consistency findings” to keep the law in harmony and ensure that the DPAs enforce the related legal rights and duties the same way in every country, particularly in decisions with cross-border effects. In collaborative enforcement actions, the EPDB resolves conflicts between concerned DPAs. The EDPB also issues guidance including guidelines, recommendations, and best practices which are adopted by all DPAs. The EDPB, formerly the Article 29 Working Party, is led by a chair and two deputy chairs that are each appointed to serve a term of five years. The chairs are selected from the EDPB body, by simple majority, which is made up of the DPA representatives from each member state and the European Data Protection Supervisor (EDPS).
Compliance Tip: While the EDPB strives to maintain continuity in the interpretation and application of data protection laws among member states, disagreements and enforcement priorities between member state DPAs are common, creating an asymmetrical compliance challenge for entities operating in multiple member states.
As stated above, each EU member has its own regulatory authority for enforcing GDPR, known as a Data Protection Authority (DPA), to investigate GDPR violations and enforce the law. Individual data subject may file privacy with a DPA or a DPA may investigate complaints on its own. A DPA may issue fines for violations equal to 20 million Euros, or 4% of global annual turnover from the previous year, whichever is greater.
Private Right of Action
In addition to DPA enforcement, the GDPR may be enforced by individual data subjects, or even those acting in a representative capacity, for violations of the member state data protection law by bringing a lawsuit directly against the offending organization.
Compliance Tip: With some notable exceptions, data privacy laws in the U.S. rarely provide individuals a private right of action to sue directly for statutory violations. In this way, the GDPR provides more direct remedies to individual plaintiffs rather than having to rely on a regulatory authority to enforce the law.
What are the key compliance requirements?
To process personal data under the GDPR, a controller must have a lawful basis for the processing. Article 6 sets forth six lawful bases, including consent, performance of a contract, legitimate interest, vital interest, legal requirement, and public interest. The first three being the most common in typical commercial contexts.
Compliance Tip: Each lawful basis has specific attendant requirements. For example, consent must be unambiguous and freely given (e.g. opt-in) with a record of the consent maintained. With respect to performance of a contract, the processing must be necessary for the performance of a contract with the data subject and not a third party. For legitimate interest, which is the broadest of all lawful bases, the interest for the processing must be balanced against the fundamental rights and freedoms of the data subject.
Under the GDPR, purpose limitation is a requirement that personal data be collected for specified, explicit, and legitimate purposes, and not be processed further in a manner incompatible with those purposes.
Data minimization is a principle that requires a controller to limit its personal data collection, storage, and usage to data that is relevant, adequate, and absolutely necessary for carrying out the purpose for which the data is processed.
Record of Processing Activities (RoPA)
Controllers and processors must maintain a record detailing the processing activities they perform. The purpose is to identify the processing of personal data to facilitate core risk and compliance functions. In order to properly assess, mitigate, and monitor privacy risks, there must be a complete inventory of the data being processed. The RoPA is one of the most important artifacts maintained under Article 30 for responding to requests by supervisory authorities.
The contents of the record of processing activities (RoPA) are different for the controller, than for processors. The RoPA requirements are much more extensive for controllers. Both must document their name, contact details, representative, and data protection officer, security measures, and cross-border data transfers. Those unique to controllers are the purpose for processing, categories of data subjects, categories of data types, retention periods, and categories of recipients.
Security of Processing
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, controllers and processors must must implement appropriate technical and organization measures to a ensure a level of security appropriate to the risk of the processing.
- Such measures may include:
- Ensuring the confidentiality, integrity, availability and resilience of processing systems and services;
- Restoring the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- Regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Data Protection by Design and by Default
Also known as “privacy by design,” Article 25 requires that controllers develop the capabilities to design, develop, implement, and configure privacy protections into products and services, internal-facing business processes, in-house information systems, and third party software and vendor services. Importantly, privacy risk assessment activities should be performed as the processing activities are being designed and developed (i.e. determination of the means for processing) in an effort to design privacy into the product, service, business process, or system before processing even begins. The most restrictive configuration should be applied
Compliance Tip: Privacy by design should be a core aspect of the product development lifecycle. It is insufficient to “bolt on” privacy protections retroactively. Designing for privacy by default runs against the grain for many organizations seeking to capture as much personal data about person or transaction as possible, even if such data isn’t particularly necessary for the purposes of the processing. Privacy by default militates against this tendency in favor of configuring the system to be the most protective of personal data by default.
- Privacy by Design Principles:
- Proactive not Reactive; Preventative not Remedial
- Privacy as the Default Setting
- Privacy Embedded into Design
- Full Functionality — Positive-Sum, not Zero-Sum
- End-to-End Security — Full Lifecycle Protection
- Visibility and Transparency — Keep it Open
- Respect for User Privacy — Keep it User-Centric
Data Protection Impact Assessment (“DPIA”)
Article 35 requires that where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
Compliance Tip: The Data Protection Officer (DPO) should review DPIAs.
Data Protection Officer
A Data Protection Officer (“DPO”) is a requirement for certain organizations under the GDPR as well as for certain EU member states. The DPO must be able to exercise independent judgement regarding data protection and have the requisite training and experience to perform its obligations. The DPO shall be informed of and involved in all issues which relate to the protection of personal data and shall be bound by secrecy and confidentiality. Among the most important roles of the DPO is advising in the performance of DPIAs.
Can EU personal data be exported?
EU personal data may only be exported to a non-EU country if such country has an adequate level of data protection as determined by the European Commission, which is referred to as an Adequacy Decision. Otherwise, the data exporter (typically, the exporting controller) must itself put in place adequate data protections unless a derogation applies (e.g. contractual necessity). Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs) are two examples of approved mechanisms for cross-border transfers.
Compliance Tip: The CJEU decision in Schrems II struck down the EU-U.S. Privacy Shield for cross-border transfers between the EU and the United States. Organizations must now rely on other approved export mechanisms, such as Binding Corporate Rules (BCRs) and the EU Commission’s approved Standard Contractual Clauses (SCCs), each subject to supplemental data protection measures as discussed in Schrems II.
Compliance Tip: Following the CJEU decision in Schrems II, data exporters must apply supplemental data protection measures to transfer personal data to countries without adequate data protection laws. Because the U.S. does not have adequacy, these supplemental measures may include conducting a data protection impact assessment, utilizing pseudonymization, encryption, and mitigating the risks associated with government surveillance, such as under the Foreign Intelligence Surveillance Act (FISA). The European Data Protection Board (EDPB) has published further guidance on this topic.