Ever looked at a deadline that is months away and told yourself there’s loads of time to think about it? In fact, that’s probably what you thought when you first heard about the General Data Protection Regulation (GDPR), the European Union’s updated privacy regulation, which takes effect 25 May 2018. Even now, it’s still months away — right?
But while you’ve been confidently putting off familiarising yourselves with GDPR and its requirements, at Cvent we’re already on track to becoming GDPR compliant, as we know the new policy will change the way businesses operate on a global scale. It may look like there’s plenty of time to plan for GDPR but trust us when we tell you there isn’t.
Last month, we held a webinar to help our customers understand the key elements of the new regulation and advise them on how they too can become GDPR compliant. We also discussed at length how the updated rules will continue to have many aspects of the existing legislation (such as fairness, transparency, accuracy, security, minimisation and respect for individual’s information), while also bringing with it some significant changes.
Here are the 10 key elements of GDPR that we highlighted in the webinar:
Element 1: Extra Territorial Reach
One of the biggest changes implemented is that the new policy will have a much further reach that the previous EU legislation. Instead of focusing on businesses located in the EU, this legislation is looking at the EU citizen, and their interaction with companies (hotels, events, etc) globally. It protects EU citizens no matter where they are in the world.
For example, if you are running an event in Texas and you have attendees from France, or anywhere in the EU, you will have to abide by the new legislation for these EU citizens.
This impacts data controllers and processors who are:
- Marketing to EU citizens
- Processing data of EU citizens
- Offering goods or services to individuals in the EU
- Monitoring behaviour of individuals in the EU
Element 2: Regulation vs. National Law
The existing rules around data protection is based around a directive, and the way that ‘directives’ work is that each country within the EU can interpret it in their own way and incorporate it into their national legislation. With a regulation, on the other hand, the approach is completely different as it is directly applicable to the national states. This means that the member states must take the entire regulation and implement it into their domestic legislation without changing it. However, GDPR is a bit of a hybrid between the two. In order to get an agreement on the new regulation, they have implemented some clauses which allows some aspects to be subject to national variation. There are specific areas on which member states can legislate including employment and research.
Element 3: Privacy by Design & Default
Privacy is a fundamental right in the EU, and GDPR has been structured to reflect that right. Whatever you do as a business, when it comes to collecting, storing and using personal data, privacy needs to be at the core of that approach and you need to ensure that you are doing your utmost to abide by that.
As businesses, there are two key things you need to do: be transparent about what you are doing with the data and be accountable for the data you hold.
Element 4: Definition of Personal Data
With GDPR, the definition of ‘personal data’ has been expanded. It is now defined as data from which a living individual is identifiable (by anyone) directly or indirectly. It is also important to take into consideration which of the data you are collecting would be considered as personal data. For example, depending on the nature of the online identifiers, device identifiers, cookies IDs and IP identifiers you collect, they are likely be classified as personal data.
Element 5: Children
Under the new legislation, some rules regarding data collected on children have been introduced, specifically to address social media concerns. Children under 13 cannot provide consent for the processing of their own personal data in relation to online services. For example, if you have events for under-13-year-olds, you cannot ask them to register themselves; parental consent is mandatory. For children aged between 13–15 years old, parental consent must be obtained unless a Member State legislates to reduce that age threshold. Only those who are 16 years and above can provide their own consent.
Element 6: Consent
GDPR is a lot more specific on what ‘consent’ really means. Consent must be “freely given, specific, informed and unambiguous, by a clear statement or by a clear affirmative action signifying agreement to processing”.
You can no longer obtain forced or omnibus consent using tactics like pre-ticked boxes. You need to have a statement where individuals have to tick a box, where they are fully informed on what data will be collected and stored and how that data will be used. You will need to get a “layered” consent, giving individuals the option to agree to specific and relevant things you plan to do with their data. You also need to make it clear whenever you’re requesting consent for sensitive data if you are gathering that kind of information, such as dietary requirements for an event. Also, you must remember that individuals have the right to withdraw their consent at any time, and you must make it as easy for them to withdraw their consent as it was for them to give their consent.
Element 7: Processing Using Other Grounds
Consent is not the only way to obtain permission to collect, store and process personal data. The GDPR does allow for collecting and processing of data under ‘other grounds’, consisting of:
- Performance of a contract;
- Compliance with a legal obligation;
- Protect the vital interests of data subjects;
- Performance of tasks in the public interest; and
- Purposes of legitimate interests (businesses will need to set out their legitimate interests in their policies).
Element 8: Further Processing
Quite often when you collect data, you’ll want to do some additional research on it. If the new data processing is compatible with the original purpose and if the processing is based on consent, the new regulation allows you for further processing if the data you’ve collected for one purpose can be used for another.
Element 9: Data Minimisation & Pseudonymisation
Only collect what you need. Personal data must be adequate, relevant and limited. If the data no longer has a shelf life in terms of your business, get rid of it.
There is also this new concept of pseudonymisation that has been introduced, which falls between anonymous data and identifiable data. Pseudonymous data is basically the data that has been processed so much that it can no longer be attributed to an original subject without additional information. So things like IP addresses can be counted as pseudonymous data. However, regardless of whether it’s pseudonymous or not, you should treat all data as identifiable, just to be safe.
Element 10: Enhanced Rights and Fines
While the individual rights mentioned in the current legislation remain, some new rights and enhanced rights are also being introduced, including:
- Right to access– a person can ask an organisation to send them all data they hold on them
- Right to be forgotten– a person can ask an organisation to get rid of all data they hold on them.
- Right to request porting of data– Right to request the transfer of data from one company to another company.
- Right to object to certain processing activities
- Right to object to decisions taken by automated means– In an age of AI, this could become an issue. This means if your data processing involves algorithms etc., you will have to declare it explicitly in your policies.
One of the main reasons GDPR has had so much press and why everyone is so worried about the new regulation is because of the heavy fines it brings with it. Under the new policy, passive or wilful noncompliance can be fined with €20,000,000 or 4% of global turnover, whichever is higher. Needless to say, this could pose serious damage to a business so companies that never considered personal information security before should start thinking about it fast.