May 25th 2018. This is a day that is highlighted in many people’s diary. This is the date on which four years of efforts will culminate in the arrival of the General Data Protection Regulation, or as many people know it, GDPR.
GDPR is a huge step in the changing world of data protection, and for the first time, brings these laws into the 21st Century, for EU consumers at least.
What is GDPR?
GDPR has been built to regulate “the processing by an individual, a company or an organization of personal data relating to individuals in the EU”. In simple terms, it’s giving control of how organisations collect and process personal data back to the consumer.
As outlined within the guidelines, following the implementation of GDPR, businesses will need to have collected personal data lawfully, which means in one of two ways:
- Where users consent to businesses processing their data. This consent must be an active, affirmative action by the user rather than passive acceptances through pre-ticked boxes or opt-outs. Businesses must also keep a record of how and when the user gave consent, and any individual is within their rights to withdraw this consent as and when they wish.
- When personal information is required to comply with a contract or legal obligation, or where it is used to protect an interest that is “essential for the life of” the user.
If you are a “controller” or “processor” of data, then you need to abide by GDPR. A controller can be any business that wishes to use or collect personal data, while a processor is any entity that processes the data itself. In reality though, any business that has a data-collection model for the EU that does not abide by these rules today will need to have bought it up to scratch by May 25th 2018, or stop collecting the data entirely.
The core to GDPR is the giving of control around personal data back to the consumer. As such, it’s important to understand what exactly “personal data” is. For GDPR, it can be anything that includes a name, address or photo, through to users’ IP address and genetic or biometric data that might enable you identify a unique individual.
Aside from users and their safety, there is a benefit to businesses too. It’s estimated that this change in regulation will save businesses upwards of AU$3.5bn by giving clear guidelines on what user information can be tracked and stored, and how this can be done, while also simplifying some of the previously more confusing aspects of past regulations.
Why is this happening?
In the 21st century, data and the use of it to understand consumers is part and parcel of everyday life. From how we wake up, roll over and grab our phones to see what’s happening on Facebook and Instagram to purchasing lunch at your local market, our lives revolve around data – or more specifically, Personally Identifiable Information (PII).
Large amounts of personal data are captured each and every day from consumers, and recent news stories have highlighted the dangers of giving access to this data without their necessary consent. In a world where advertisers can use countless different attributes to target consumers with media, it’s important to make sure that lines aren’t blurred, and that it’s being done in a positive, minimal-risk way for the user.
What rights does this give to the consumer?
Aside from the requirement that a user must give a business consent to use their data for a specified purpose (whatever that may be), the user has the right to ask at any time for a copy of the personal data that’s being held. In this case, the business is required to supply this information to the consumer in a “commonly used electronic format” (assumed to mean .txt, .pdf or similar) within a month.
In addition to their “Right to Know”, the consumer also has the right for any errors to be corrected, and to ask for their personal data to be deleted or have it moved at their own will. Assuming the request is reasonable, the one-month timeframe to reply applies here and will have to be done at no cost to the consumer in question. As a processor or controller of data, you must abide by all reasonable requests, though you also have the right to ask for confirmation of identity before handing the data over.
Isn’t this just for EU based businesses?
While GDPR is an EU regulation, it’s also a set of rules for any business that is active within EU member states – or more helpfully defined, any business where activities involve offering goods or services to individuals in the EU (whether or not payment is required), or monitoring the behaviour of individuals in the EU, where that behaviour takes place in the EU.
This doesn’t mean you need to have a physical presence in the EU. Instead, it accounts for any business that is running any sort of activity on European soil. So if you have customers in the EU or are advertising beyond strict geographical areas, this means you need to be GDPR complaint.
As an Australian/non-EU business, you still need to be GDPR complaint if you meet one of the below criteria:
- An Australian/non-EU business with an office in the EU;
- An Australian/non-EU business whose website enables EU customers to order goods or services in a European language (other than English) or enables payment in euros;
- An Australian/non-EU business whose website mentions customers or users in the EU;
- An Australian/non-EU business that tracks individuals in the EU on the internet and uses data-processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attributes.
What are the implications of GDPR?
The EU is not taking a light touch when it says businesses need to be GDPR compliant. Gone are the days of a slap on the wrist for data breaches (not literally, but we’ve all seen some of the inconsequential fines that have been imposed). Instead, they’re going to come down hard on businesses who fail to abide by this regulation.
Article 83 of the document outlines the “General conditions for imposing administrative fines”, which identifies two different conditions where businesses that breach the rules will have to face the implications.
– Those businesses that didn’t follow the principle of security by design (that meaning a product or service that is built on top of the existing compliance and security framework) can be fined up to €10 million or 2% of total worldwide annual turnover of the proceeding financial year, whichever is greater;
– Those businesses that didn’t follow the principle of security by default (meaning a product or service that has operational control on top of data access) can be fined up to €20 million or 4% of total worldwide annual turnover of the proceeding financial year, whichever is greater.
These aren’t fines that can or will be brushed off, and it shows the importance that the EU is going to placing on making sure personal data is managed effectively. What is interesting is that the UK have put forward a new Data Protection Bill that essentially replicates GDPR once the UK leaves the Union. It will be interesting to see what happens outside the EU in time, but for now, the focus remains here.
What can I do right now?
If you don’t meet any of the criteria to necessitate becoming GDPR compliant, then nothing really needs to change for you. For those that it will impact, we would hope this isn’t coming as a shock. Many businesses have been investigating what this means for a year or more, and are already well on their way to being compliant by May 25th. Some businesses are taking different actions though, and are stepping back from data collection globally or in the EU until they are completely happy with their compliance. This may be easier for brands that do not have a big footprint in the region, but regardless of size or difficulty, it’s necessary nonetheless.
For those still on their GDPR journey, it’s important to think about the following:
- You need to ensure that you are asking consumers to opt in, not out;
- Consent needs to be separated from terms and conditions;
- You should audit your data collection to understand if there are any pieces of personal information you do not need to collect;
- You should audit your data platforms to identify opportunities to reduce the number of them that you’re using to store personal information;
With GDPR it’s better to be safer than sorry. This article outlines many of the main thoughts and implications around these new regulations, however there are many other factors that could decide whether or not this is relevant for you. In any case, should you have burning questions, we recommend you speak to a qualified legal representative to ensure you have all the information you need to work from, sooner rather than later.