As of May 25, 2018, the General Data Protection Regulation (GDPR) came into effect, designed to protect the online activity and personal information of individuals. GDPR is the first major overhaul of how businesses and public organizations handle their customers’ data since the 1990s, and the first to make an attempt at keeping pace with the modernization of technology.
Now, the UK is leaving the EU, and there’s been a lot of confusion about how that will change the effect that GDPR has over various businesses and organizations. We’ll do our best to clear that up.
What Does Brexit Mean For GDPR?
In short, likely not very much. The UK passed its own Data Protection Act in 2018, and it’s an almost identical set of rights and rules for companies regarding consumer data. There’s a reason for the similarity between the two laws — the UK’s DPA is intended to smooth the transition out of the EU in that businesses and organizations won’t have to change their policies.
Of course, as of this writing, the UK has not finalized a plan for the terms under which it will leave the EU. Since the UK will not technically be under the jurisdiction of the GDPR, it remains to be seen how the EU will apply its law to data that passes between the EU and the UK.
As of now, the UK has said that it will seek adequacy agreements with the EU to ensure that its DPA is essentially the same as the GDPR, allowing data to flow between the EU and UK. For practical purposes, companies doing business with the EU and UK should comply with the GDPR until indicated otherwise.
What If My Company Operates In The US?
Technically, US companies aren’t under the jurisdiction of GDPR, but in reality, it’s not that simple. Data is global — companies like Google and Amazon have data centers in Luxembourg, Ireland, Germany, The Netherlands, Denmark, and Finland, and any online company or SaaS business could have customers from anywhere.
The fact is that if your users or their data are ever in EU territory, you need to be compliant with GDPR — by extension, you’ll probably also be compliant with the new DPA, but we’re still not sure how the legal side of Brexit will shake out.
Unless you can be absolutely sure that all your users and their data are contained on servers inside the US, you should have already done the work to become compliant with GDPR. That means no more “automated decision-making” to target ads anymore — the kind of algorithms that serve ads to users based on cookies, location tracking, and browsing history.
If your website, business, and data practices are already compliant with GDPR, it’s not likely that they’ll have to change substantially to comply with the UK’s 2018 DPA, but the situation is still unfolding. For now, complying with GDPR is your best bet — wait until the dust settles around Brexit before you make any other major changes.
What Is GDPR?
GDPR is the first major overhaul of consumer data protection in Europe since 1995, and is intended to “harmonize” data privacy laws across Europe. It involves substantial changes both for the general public and for any organization that handles personal information.
GDPR was discussed and negotiated for nearly four years before being adopted in April of 2016. Companies and other organizations were then given two years to prepare for the changes before the regulations came into effect in May 2018.
Does It Apply To Me?
Almost certainly. Any individual, organization, or company that is either a “controller” or “processor” of personal data will be under the GDPR’s purview. If you are currently subject to the DPA, you’ll also be subject to the GDPR.
What Is Personal Data?
Much of GDPR concerns “personal data,” so it would be useful to have a specific definition of the term. In the UK, there are two types of personal data — personal data and sensitive personal data.
Personal data is anything that might allow a living person to be identified, directly or indirectly. This might be a name, physical address, or an IP address. It also includes automated personal data and even pseudonymized data, providing a person could be identified from it.
Sensitive personal data is referred to in the GDPR as a “special category” of information. These types of data include membership in trade unions, religious beliefs, political opinions, racial information, sexual orientation, and health information.
The full text of GDPR contains 99 articles regarding the rights of individuals and the requirements set on organizations under the new regulation.
Access to your data
One of the biggest changes to data regulation under the GDPR is the power that individuals have over the data that’s held about them.
The GDPR includes provisions for a subject access request (SAR), which allows an individual to ask a company or organization to provide all the data that that organization has collected about the individual. Businesses are required to provide the information within a month.
Another major change is the burden placed on data collectors to obtain consent from users before collecting data. That consent must be active and made with a “genuine and meaningful choice.”
In practical terms, what this means is that merely posting a link to your terms of service, which no reasonable person can be expected to read, is insufficient to claim consent. It also means that “opt-out” subscriptions to email newsletters — where a checkbox is checked unless the user deliberately deselects it — are disallowed.
What Should I Do?
If you’re a business or organization that collects data of any kind on your users — and in this day and age, almost anyone with a website fits that description — then you need a consent policy. Customers must now opt-in to having their data collected in a conscious, informed fashion, so you’ll have to write a policy for them to consent to.
The GDPR also contains provisions for how companies handle consumer data once they have it. The “destruction, loss, alteration, unauthorized disclosure of, or access to” user data must be reported to the data protection officer of every country where it can have a detrimental effect on the residents.
Companies over a certain size also are required to provide documentation as to why people’s information is being collected, what information is held, how long it’s held, and what security measures are in place to protect it.
Finally, you’ll need to prepare for data requests. Under GDPR rules, your users have the right to see any and all data you’ve collected on them, correct information that’s inaccurate, revoke consent, or demand that you erase the data you have on them. You’ll need to have both the software means and the written policy to comply with those requests.
The bottom line is that you should talk to an expert. The new laws are complicated, and without the help of a law firm, you might make mistakes. That’s not to mention the software, coding, and database management you might need to set up. Penalties for being on the wrong side of these regulations can be up to 20 million euros or 4% of your annual revenue — it’s worth the effort to get it right from the beginning.