What is the GDPR?
As opposed to the U.S., the European Union has a uniform data privacy law. The General Data Protection Regulation (GDPR) went into effect on May 25th of 2018, and has a broad cross-sector scope that affects many foreign companies, including U.S. companies.
This regulation relates to both data privacy and data security. Data privacy is the right to control how information is collected and used; focusing on the use and governance of data. Data security, on the other hand, is focused on protecting data from, for example, attacks and exploitation of stolen data.
The GDPR applies to:
- Businesses established in the EU – which process personal data; and
- Businesses outside the EU – if their data processing activities relate to the offering of goods or services to individuals in the EU or to the monitoring of such individuals’ behavior.
Mere accessibility of a website by an EU member is insufficient alone to prove intention to offer goods or services. The GDPR requires intent to offer goods in the EU; not merely availability of, for example, a website. Just having an accessible site is not enough; intent to market is critical. Therefore, the GDP applies if: a business is located within territory; a business is marketing services in EU, and; regardless of the citizenship of user is irrelevant.
What is Personal Data?
Persona Data is any information relating to an identified or identifiable natural person (known as a “data subject”), it includes: name; identification number; location data; online identifier; and one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The GDPR regulates several moments in the lifecycle of personal data, including: collection, processing, storage, transmission, and disposal.
Who must Comply with the law?
There are several types of parties who collect and use Personal Data, including “controllers” and “processors”. Controllers are typically the persons or organization who collect the data. The data controller determines the purposes for which and the means by which personal data is processed. So, if your company/organization decides ‘why’ and ‘how’ the personal data should be processed, it is the data controller. Employees processing personal data within the organization do so to fulfil your tasks as data controller. Processors typically process the personal data only on behalf of the controller. The data processor is usually a third party external to the company. The relationship between controllers and processors is governed by data processing agreement.
How can Organizations Collect data?
In order to collect or process personal data, you need to have a legal basis for it. GDPR requires that any organization processing personal data must have a valid legal basis for that personal data processing activity. GDPR provides several legal bases for processing, including:
- Performance of a Contract;
- Legitimate Interest;
- Vital Interest;
- Legal Requirement; or
- Public Interest.
Consent occurs when the data subject has given permission for the organization to process his/her personal data for one or more processing activities. Consent must be freely given, clear, and easy to withdraw. Therefore, organizations need to be careful when using consent as their legal basis. An example of consent is the age box that a user may check when accessing content that is age-restricted.
Performance of a Contract occurs when the data processing activity is necessary to enter into or perform a contract with the data subject. An example of this is when a user provides his/her mailing address for an e-commerce purchase.
Legitimate Interest occurs during the processing activity that a data subject would normally expect from an organization that it gives its personal data to do, like marketing activities and fraud prevention. If legitimate interest is used as a legal basis for processing, the organization must perform a balancing test: is this processing activity necessary for the organization to function? Does the processing activity outweigh any risks to a data subject’s rights and freedoms? If the answer to either of those questions is “no,” then the organization cannot use legitimate interest as its legal basis for processing.
Vital Interest is a rare processing activity that could be required to save someone’s life. This is most commonly seen in emergency medical care situations.
Legal Requirement arises with a processing activity that is necessary for a legal obligation, such as information security, employment or consumer transaction law.
Public Interest is a processing activity that would occur by a government entity or an organization acting on behalf of a government entity.
If you would like to continue the next part of this blog click here.