The Global Data Protection Regulation (GDPR) was approved and adopted by the European Union Parliament after more than four years of negotiations, effective after a two-year transition period. The GDPR gives EU citizens more control over their personal data and makes companies that collect, process and store personal data far more liable for EU citizens’ data regardless of their location, or your business’ location.
Enforcement begins on May 25, 2018. The clock is ticking and yet many misconceptions persist. This is partly due to the vast difference between privacy laws in the United States versus other countries, and specifically in this case, the EU. This is a quick guide to the most significant aspects of the European privacy regulation.
GDPR will standardize privacy protection laws across the 28 EU member states and the European Economic Area, replacing the Data Protection Directive, which was formalized in 1995. Previously, under the 1995 Directive, each member state set its own data protection rules, which created an inconsistent regulatory environment and compliance headaches for companies trying to do business in the EU.
Companies will no longer be allowed to collect or process a European citizen’s data without identifying their legal basis for doing so. Companies will also be barred from using previously collected data if it was not obtained with appropriate notice and consent measures. GDPR introduces several new concepts, including substantial fines for noncompliance and enhanced rights for data subjects, which need to be addressed for any company doing business in the EU or any company housing an EU’s citizen’s personal data in its database.
The GDPR introduces several new concepts, including substantial fines for noncompliance and enhanced rights for data subjects, which need to be addressed for any company doing business in the EU or any company housing an EU’s citizen’s personal data in its database.
GDPR infractions come with significant penalties of up to 20 million Euros or 4 percent of global annual turnover for the previous year, whichever is greater – per violation. A maximum fine can be imposed for the most serious infringements such as violating the core of Privacy by Design concepts. It is important to note that these rules apply to both data controllers and processors.
Supervisory authorities are authorized to consider mitigating factors when setting a fine. For instance, a company that demonstrates an effort to comply and reports any violation as required, will likely be punished less harshly than willful violations.
“As our industry’s Privacy Advocate since our founding in 1999, and practitioner of Privacy by Design, we welcome this regulation. Organizations ignoring GDPR will either go out of business, or be acquired by a competitor for their customers.
We embrace GDPR because it will result in a cleaner ecosystem and suppliers will be valued not just for feature/functionality but also for their privacy-respecting practices"
GDPR establishes different rules for data controllers and data processors. A controller is the entity that determines the purposes, conditions and means of the processing of personal data, such as licensees of event marketing automation software, or third parties that operate the software on their client’s behalf. Data controllers determine why and how personal data may be processed, and are required to establish a legal basis for processing data.
A data processor is an entity which processes personal data on behalf of the controller, such as the software provider. The law states that data processors “process personal data on behalf of the controllers.” Processors must do their processing legally and responsibly, and controllers must ensure that their processors are doing a proper job.
Although the rules governing controllers are more stringent, both controllers and processors are the responsible under GDPR. Unlike the previous privacy regime, processors are subject to enforcement actions and could be liable for big penalties if they do not comply.
What are your record-keeping requirements?
Data controllers and subcontractors (third party service providers) must maintain written records of their data processing activities, including why they are processing the data and how long they plan to keep it. If requested by data protection authorities, this information must be made available.
What is your accountability?
Data controllers must also clearly document all the actions they are taking to comply with GDPR. This is referred to as “data protection by design and by default,” and must be proved as proof of compliance if regulators request access.
Any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, photo, email address, financial details, social security identification, posts on social networking websites, medical information, or a computer IP address.
GDPR also broadens the definition of personal data to include “identified” and “identifiable” data. This means personal data includes any information used to identify a person, including location data, mobile device IDs, and IP address data is considered sensitive personal data.
Pseudonymous data, which is personal data that’s been hashed, encrypted or anonymized in some way is also a potential compliance nonstarter. Data that can be re-identified and with reasonable effort by combining it with additional data points is also consider protected personal data.
GDPR expands the right of erasure, (also known as the right to be forgotten), by requiring data controllers to take steps to ensure that the data is deleted and deleted by any third parties it has been shared with.
Data portability between online platforms is also an individual’s right. This translates to the right to not be subjected to automated data processing, such as profiling; and the right to obtain a copy of their processed personal data for free and in electronic form upon request, including details as to where it is being used and the purpose.
Companies can process data if they have a legal basis for doing so. Banks, for instance, must process customer data to comply with the law. There are two legal bases to be mindful of: legitimate interest and consent. Companies that demonstrate a “legitimate interest” can in certain cases lawfully process personal data without consent: if the data was collected legally, if there is a justifiable reason for its use and if the processing was done responsibly.
Establishing legitimate interest requires the data controller to conduct an exercise called the “balancing test,” in which it weighs its own interests against the rights of the data subject, including the individual’s reasonable expectations about how his or her data is processed and whether the controller has the right safeguards in place.
“Direct marketing” is specifically called out within GDPR as a legitimate use of personal data, but with certain caveats. Personalized communications, targeted advertising, aggregating analytics to create trend reports and track ad performance, post-click tracking and audience measurement are all potentially acceptable under GDPR, providing the controller ensures that users can easily opt out at any time. This also requires that proper opt-in disclosures are provided.
Data controllers – the parties that decide how personal data is used – must get “unambiguous” consent for each purpose they plan to use the data for. In other words, a company cannot obtain t consent for one purpose and then turn around and use that data for another purpose. Consent must be freely given and explicit.
Opt-out models (aka pre-checked boxes) will not be acceptable anymore. What is known as the informed consent model, which is when a site loads tracking cookies at the same time as the page loads along with a brief notice, usually in pop-up form, alerting the visitor that the site uses cookies is also not acceptable. Barrier pages, when content is blocked until a user agrees to enable tracking, will not work either.
The bottom line is that a person’s consent must be both affirmative and informed. The data protection authorities in the UK, France and Germany all agree that a person can signal consent to processing by ticking a box on a website, but only if they have been shown a clear notice with straightforward language beforehand. This means that event registration will require explicit language to provide registrants with the ability to opt into data collection, get visibility into what is being collected and modify what is being tracked or shared with other parties such as meeting services providers, hotel/venues, etc.
Contact Lenos Software to learn more and how we can help you meet your compliance requirements for meetings and events management enterprise-wide.
