4 years of combative debates have resulted in the adoption of the General Data Protection Regulation – the GDPR. The document is extraterritorial. This means that wherever you are based if you work with EU residents – you have to respect the European law.
We launch a series of articles devoted to GDPR. In the first part, we will do a quick skim through the main principles of the regulation, find out who controllers and processors are and why should you care about compliance. In the second part, we will present our extremely practical GDPR compliance checklist.
The GDPR became enforceable on 25 May 2018. The date of enactment was defined as early as in 2016, yet many companies admit that they don’t fully comply with the GDPR requirements. The TrustArc’s report says that little has changed in the first months the document has come into force:
Particularities of GDPR
The GDPR sets out 7 key principles:
- Lawfulness, fairness, and transparency – personal data should be processed in a fair and legal manner in relation to a user.
- Purpose limitation – personal data should be collected for specific, clear and legal purposes.
- Data minimization – personal data should be limited by the volume that is necessary to achieve the determined legal objectives.
- Accuracy – personal data should be kept accurate and up-to-date.
- Storage limitation – personal data should be kept in a form that is needed to identify a user during for no longer than it’s necessary to achieve the determined legal objectives.
- Integrity and confidentiality – personal data should be processed in a way that ensures absolute data security.
- Accountability – a company has a liability to users and supervisory authorities for the data collection and processing. The company should be able to demonstrate its compliance.
Who Does the Regulation Apply to
First of all, we need to clear up who is covered by the GDPR. The regulation is applicable to all the companies that process personal data of EU citizens and residents no matter whether the processing of data is performed in EU territories or not.
This means that there is no legal difference between a bank in NY that opens an account for a French businessman and a Tanzanian Bushman who sells hippo teeth necklaces to European tourists on the internet.
The processing of personal data is one thing that these two examples have in common. It will be recalled that personal data is any information – from email to relationship status – that can directly or indirectly identify an individual.
The regulation introduces new terms. The GDPR applies to data controllers and data processors.
Controllers are largely responsible for the processing and bound to contract the processors on mutual GDPR compliance.
Let’s take an example. “Clay Crow” is an online clay retailer that sells its products all around the world. The retailer collects its customer addresses (for delivery) and email (for email marketing). “Clay Crow” is a data controller because it is the one that defines what personal data is processed, for what purposes and how the data security is ensured.
Now imagine that this exact “Crow” decides to find out why green clay sells like hotcakes, while the white one remains unsold for months. Seeking answers, the retailer installs Google Analytics on its website. Now the service also processes the customer data of Crow’s customers making it a data processor.
Summing up the regulation applies to:
- Controllers are the companies that collect data of the users (who are referred to in the regulation as “data subjects”) and define the purposes and methods of processing.
- Processors are the third-party companies that process the data on behalf of a controller.
- companies that provide goods and services to EU citizens and residents
Is your hotel’s website translated into a European language? Then you target the European audience and should comply with the GDPR.
- companies that monitor the online behavior of EU citizens and residents
How Much Does the Non-compliance Cost
Non-compliance with GDPR is very expensive. The fine for failure to comply with the requirements of the regulation is defined by various factors including the nature, severity, and duration of an infringement, previous breaches, number of people affected and many other things.
The maximum fine is up to €10 million or 2% of the annual global turnover on the lower level and €20 million or 4% of the annual global turnover on the upper level.
And the point is that, according to the law, the choice between a fixed fine and a percent is made on the principle of “whichever is higher”.
Let’s assume that the “Pinocchio” startup is engaged in the wooden drone production. Anyone who feels like it (including Europeans) may buy one of these drones on the internet. The startup’s annual turnover is €32 million. Hacker attack caused the customers’ payments data to leak on the internet. The startup’s management not tried to take any measures nor did as best as it could to cover up. According to GDPR such disputed strategy costs €10 million or 2% of the annual global turnover of the previous year. Startup’s 2% equals €640 thousand. However, on the on the principle of “whichever is higher” “Pinocchio” is bound to pay €10 million.
Another example. Russian bank “Red Collector” provide loans to European citizens. Last year’s turnover was meager – only €952 million. Within the last few years bank has been selling the personal data of its clients abroad (of course without the consent of the clients). Law provides the maximum fine for such offense that is €20 million or 4% of the annual global turnover. The bank’s 4% of €952 million is more than €38 million. That’s how much the regulation negligence will cost to “Red Collector”.
These examples are not that far from the truth. The prospect of maximum fine is exactly that impends to ticket-selling platform Ticketmaster. The company is responsible for the data breach that affected 40 thousand users.
Before you start panicking consider this: the worst-case scenario is not the first option. The European Commission has even made an animated infographic explaining how supervisory authorities monitor the compliance with the regulation and punish the lawbreakers. If an infraction is minor, data protection authority issues a warning and gives time to reconcile the inconsistencies. We should keep in mind GDPR was designed not to hinder the normal business processes but to protect the user rights.
The reasonable question arises: how to avoid this “minor infraction” and check the level of compliance with the regulation right now? Read the highly practical recommendations in our next article.