To gain a better understanding of the General Data Protection Regulation (which has already been dubbed “the most important change in data privacy regulation in two decades”), we recently consulted with Robert W. Dibert, a Frost Brown Todd attorney with extensive data privacy and security experience dating back to the early 2000s. Mr. Dibert was happy to provide additional insights into many of our questions, giving us a better idea of what some of these GDPR changes are, who they might affect, and what can be done to ensure smoother GDPR implementation for companies before the May 25th deadline.
Keep in mind that the GDPR is a massive piece of legislature, and this blog will only touch on some of its stipulations. This blog is also not intended to be taken as explicit legal advice for your company to follow. This blog only aims to educate readers with an informative GDPR overview, while also providing examples of steps that other companies have taken to ensure their own compliance.
Even though the GDPR is a European initiative, it's set to affect virtually all businesses who offer goods and services to or monitor the behavior of EU data subjects. In fact, one of the most drastic GDPR changes is that any company collecting personal data on EU citizens, or even non-EU citizens inside an EU country at the time, may be subject to a wide variety of penalties. For example, if a non-EU company violates a GDPR guideline, that company could still incur a maximum fine of up to 4% of its annual global turnover.
This is causing a commotion in the US because, according to some surveys, more than half of all large U.S. companies may be subject to GDPR because of the amount of business they do with or inside the EU.
To avoid such steep fines, GDPR awareness will only become more and more essential if companies wish to continue collecting personal data on EU subjects (or even American subjects simply traveling through). But what exactly constitutes “personal data” under the new GDPR framework?
“While the 1995 Directive was somewhat consistent with the US definition of what defines personal information, there’s an expanded definition of what is considered ‘personal data’ for the GDPR. Beyond specific definitions of personal health information and personal financial information common in the U.S., the GDPR says that any information that can be used to identify an individual qualifies as personal data, so that expands the scope into things like IP addresses, biometric identifiers, or any other information that could be linked to define an individual.”- Robert W. Dibert, Frost Brown Todd
…Beyond specific definitions of personal health information and personal financial information common in the U.S., the GDPR says that any information that can be used to identify an individual qualifies as personal data…
So, after 20 years of relative consistency with the Data Protection Directive, the new GDPR aims to modernize things to more effectively protect today’s EU citizens from privacy and data breaches in an incredibly data-driven world that’s vastly different from the one in which the 1995 directive was established. To more efficiently update and reinforce the protection premises contained the ’95 directive, a widely publicized series of new policies have been set in place emphasizing “extraterritorial applicability”—that is, the increased emphasis on protecting personal EU subject data from organizations outside the EU, as well.
The GDPR aims to set a much higher standard for user consent—one that provides individuals real choice and control over the collection and processing of their personal data. In particular, sensitive personal data (that is, information related to ethnicity, gender, health, etc.) will require express consent, meaning subjects will need greater descriptions of why the data is being collected and how it will be used. In other words, transparency is the name of the game, and simply having a vague “Yes” or “No” choice to “opt-in” or “opt out” won’t cut it anymore.
New GDPR privacy laws dictate that data controllers will have a strict 72-hour time limit before they have to report any data breaches to the appropriate supervisory EU authorities, regardless of whether or not the organization was at fault for the breach. Similarly, data processors will be required to notify data controllers without “undue delay” as soon as they are made aware of a personal data breach.
By its very nature, big data is designed to collect a lot of information, and this can inherently cause a lot of security complications and accountability issues. That’s why Article 17 of the GDPR includes a “right to erasure” (also known as a “right to be forgotten”). Although the concept has already existed for some time under EU law, it was limited in its applicability. This revised right to erasure gives protected parties even more autonomy, especially in regards to having their personal data erased when requested. Even so, this right’s still only applicable in certain circumstances, albeit many more circumstances than what was previously allowed. Some—but certainly not all—examples of when the right to be forgotten can be exercised under GDPR include:
Of course, all of this is still just a sample of the many changes GDPR will bring about. Considering that the regulation currently contains 11 chapters and 99 articles, it would be hard for any single blog to comprehensively cover every nuance of its legislature. In addition, some of its articles and laws may apply to your business more so than others, while others may not apply to your business whatsoever. All of this is why it’s so critical that you confer with your organization’s own legal team to sort through this massive piece of legislature to become as compliant as possible.
“We have seen general activity dating back to 2016 when the EU formally passed GDPR. In the last 90 days or so, there has been an uptick in businesses looking at their operations and asking, ‘Are we doing a kind of business that is reaching across jurisdictional lines, and if so, what are the costs of compliance versus the cost of doing that business?’ There are even some internet businesses that have stopped doing business across jurisdictional lines because the cost of compliance just isn’t worth it.” – Robert W. Dibert, Frost Brown Todd
Back in late March, it was estimated that only 21% of U.S. businesses had a GDPR plan in place. Of course, compliance requirements will vary by company and industry, and since the GDPR assigns distinct titles to organizations based on the way they collect and use data, ensuring full compliance is a tricky and expensive undertaking. But that’s no excuse for a lack of initiative. Still, for that small percentage of general companies who have been preparing for the GDPR, they’re at least ahead of the game.
We also explain what we may use their information for, which could be anything from statistical analysis, creating tailored email lists, delivering customized content, etc. For further transparency, we explain what steps we take to safeguard their information, and also mention that we only collect info if it’s voluntarily provided, and so on. Essentially, the goal was to be as upfront, clear, and honest as possible, which is ultimately what the new GDPR privacy protection stipulations are all about.
Here are some examples of steps that other companies have taken to prepare for upcoming GDPR changes, many of which have been meticulously outlined in their own on-site blogs and articles:
Established in 2006, Hubspot is now a leading provider of inbound marketing software and online sales services—in other words, they handle a lot of customer data for their clients. Because of this, they created one of the most exquisitely detailed pieces of content online detailing the steps they took (and are still taking) as a company to ensure optimal GDPR compliance for themselves and their clients alike.
They explain how their tech, security, and legal teams have been working diligently and in unison to help clients meet GDPR requirements regarding how they use HubSpot’s services to collect and store EU personal data. They’ve also created a glossary to help customers understand the legal jargon contained in the GDPR, a checklist to help companies assess and modify their data collection practices, and a ton of other resources meant to assure their customers that they are knowledgeable on the subject and can be depended on to educate and guide them in the right direction.
Usability testing is one of the most insightful collection tactics for digital marketers, designers, and developers. Participants (the “user testers”) agree to have video recordings taken of their screens as they navigate websites and complete a series of tasks, while also having audio recorded so they can provide verbal feedback. With such intensive and sensitive data being collected, UserTesting.com had to be adamant about ensuring GDPR compliance, so they came out with a detailed article explaining:
We have carefully examined the relevant stipulations of the GDPR and conducted an assessment of applicable UserTesting processes. These steps, as well as ongoing efforts, help us in developing tools and procedures that ensure continuing GDPR compliance for all customers and users…
They then go on to list a side-by-side comparison of imminent GDPR changes and note the implications for their customers and clients, all before explaining that “the GDPR aligns directly with our goals and ideologies” to “respect the privacy and ensure the security of all customers, partners and associated parties who have made the choice to do business with us.”
Obviously, Google needs no introduction, but neither this tech behemoth nor their customers are immune to potential GDPR penalties either. To help alleviate client anxiety and provide guidance, they created a robust guideline related to the EU GDPR, particularly in regards to how their Google Cloud software will comply with these new laws.
For example, they explain that their data processing agreements for the Google Cloud Platform clearly articulate their commitment to privacy and that these terms constantly evolve based on feedback from customers and regulators alike. They also explain how all Google employees sign confidentiality agreements, go through confidentiality tutorials, and complete “Code of Conduct training” so they can properly protect sensitive data per GDPR requirements. But that only scratches the surface: from revised encryption protocols to new vulnerability management directives to easy-to-find and highly detailed instructions on how customers can delete their data if they choose, it’s no surprise that Google has already positioned itself as a thought leader on appropriate GDPR implementation and preparation.
On the other hand, GDPR compliance will cost businesses a lot of money, meaning some companies may look for alternatives such as outsourcing EU-related internet communications to a provider who can assume much greater responsibility for compliance.
“In the EU, up to ⅔ of EU citizens are concerned about their ability to control the use of their personal data. In the US, the reported number is somewhat less, but it’s still at least half. There was also a survey in the UK that showed that up to half of their citizens intend to assert their rights to protect their personal data. So, as far as consumers are concerned, yes, there is a clear want for more transparency and consistency in regards to how their data is being collected and used. On the other hand, GDPR compliance will cost businesses a lot of money, meaning some companies may look for alternatives such as outsourcing EU-related internet communications to a provider who can assume much greater responsibility for compliance.” – Robert W. Dibert, Frost Brown Todd
So, in essence, the GDPR is good in that, ideally, it will lead to a more open and intuitive internet, one where customers don’t have to struggle to find a “Decline” or “No thanks” CTA while glaring at a ridiculously sized “Accept” button. And that’s not just an opinion—in fact, a HubSpot survey on consumers in the UK, Ireland, Germany, Austria, and Switzerland found that 90% believed the general GDPR privacy protection principles are a “good thing.”
On the other hand, GDPR implementation has already cost companies around the world a lot of time and resources—and these expenditures won’t simply end come May 25th. Ongoing upkeep and accountability will become hallmarks of many businesses, assuming those businesses wish to maintain prolonged compliance and avoid steep GDPR penalties.
Still, at the end of the day, the argument about whether or not the EU GDPR rules are “good” or “bad” is irrelevant—they’re coming either way! However, since we like to end things on a positive note, we would like to say that we do believe these GDPR changes will ultimately lead to a better, safer, and more transparent internet…and that’s desperately needed in a time filled with such widespread publicity surrounding data breaches and other issues. At the end of the day, any law or regulation that eventually leads to renewed customer trust and better relationships between companies and consumers is a positive step in the right direction….in our book, at least.
Disclaimer: This blog is not intended to be an encyclopedic overview of the new GDPR framework. It’s also not intended to be taken as legal advice for your company to follow while complying with new GDPR privacy laws. This blog, and ADK Group as a company, only aim to educate readers with an informative, high-level GDPR overview, while also providing examples of steps that other companies have taken to ensure compliance. If you wish to ensure full compliance within your own company, it is highly recommended that you consult with your attorney(s).