The European Union’s General Data Protection Regulation 2016/679 (GDPR) will take effect on May 25, 2018, bringing new laws on privacy in regard to individuals’ personal data and how it’s processed.
GDPR will significantly strengthen the rights of individuals and increase the obligations on organisations, even when they operate outside of Europe.
I’ve been paying close attention to these issues, in both my current work at Clinch as well as in previous roles involving technology policy. We’ve been working closely with our customers to make sure they fully understand how these changes will affect their processes. Here are some of the questions we’re hearing most often as the clock ticks down to May 25.
Does this really affect my organization?
Yes. All organisations are “data controllers” — i.e. an entity that either alone or jointly or in common with others determines the purposes for which and the manner in which any personal data are processed.
As a data controller it would be an expensive mistake to ignore this regulation. GDPR has a tiered series of penalties that could take a large bite out of an offending organisation’s profits. Serious infringements could mean penalties of up to 4 percent of a company’s global revenue for violations of basic principles related to data privacy and security, and of 2 percent of global revenue if company records are not in order or a supervising authority and data subjects are not notified when personal data is exposed in a security breach.
We are not based in Europe. Is this relevant to me?
The principle of “extraterritoriality” in GDPR means that if your company collects data about EU data subjects — for recruitment purposes, for example — then all requirements of GDPR apply to you, even if you don’t have a physical presence in the EU.
What is meant by ‘Privacy by Design’?
The concept of “Privacy by Design” has always played a part in EU data-protection regulations, but under the new regulation the principles of minimizing data collection and retention and of gaining consent from consumers when processing data become very explicit, with significant penalties for noncompliance.
Simply put, Privacy by Design means that when a product or service interacts with the public, the default settings or processes of that product or service should protect the privacy of the public without their manual input.
Obtaining consent before collecting personal data, only collecting the specific personal data that is necessary for optimal delivery of the service and retaining this data for the minimum period needed are all examples of this.
In general, this means you need the explicit consent of the person whose data you are collecting, processing and retaining. If you do not have this explicit consent, you will need to have clear legitimate interests to collect someone’s data without their consent, and only if it does not compromise the interests of the data subject.
The burden of proof that the data subject has knowingly given consent will lie explicitly with you as a data controller. And a data subject may withdraw their consent at any time, request a copy of their data or of its erasure, and insist on the “right to be forgotten.”
What does the term ‘right to be forgotten’ mean?
There has been a long-standing requirement in the Data Protection Directive that allows individuals to request that their data be deleted. At first glance this seems quite easy to achieve, but once you start to think about data stored in data lakes or backups this can become a significant issue. GDPR extends this right to include data published on the web — in blog posts, for example.
Do we need to do anything before we start collecting and processing data?
Yes. In general you need to maintain a record of any processing activities under your responsibility, including the categories of data you will be collecting, why you are collecting it and how long you intend to hold it. Where possible you also need a general description of the technical and organisational security measures you have in place.
New technology is also singled out for a special mention here. If a new type of processing is likely to result in a high risk to the rights and freedoms of a natural person, you will need to assess the impact of the envisaged processing operations on the protection of personal data. The regulations indicate that your country’s supervisory authority will make public a list of processing operations that are subject to the requirement for a data-protection impact assessment.
What about our existing data?
If your company is processing existing personal data, it still needs to be processed lawfully, fairly and in a transparent manner. Your systems and processes also need to handle it in a way that ensures the appropriate security of the personal data. And you must make sure the data is accurate and, where necessary, to update it while taking every “reasonable step” to ensure that any inaccurate personal data is erased or rectified.
The ability to demonstrate compliance with these requirements is also important.
What about data we get from other sources?
Personal data that was not obtained directly from the data subject still comes under the regulation. You must tell the data subject who you are and why you have collected their data, the categories of data you have collected and how long you plan to hold on to it. This all has to happen when you first make contact with the person or at most within one month of obtaining their data.
What if we need to move someone’s personal data to another country?
Movement of data is particularly complex, and can depend on the intended destination and the reason for the transfer. In some cases moving personal data to countries that do not have sufficient protections in place may require the explicit consent of the person after you have informed them of the possible risks of a transfer. In the context of recruitment, where large volumes of personal data may be stored in resumes, this has the potential to become a real challenge.
What happens if we or one of our vendors are hacked?
Under GDPR, an organisation has a legal obligation to report any breach of security leading to the release of identifiable personal information being disclosed, destroyed, lost, altered or stolen — and must do so with 72 hours of becoming aware of it. Additionally, data subjects have to be notified if the data released poses a “high risk to their rights and freedoms.”
Can someone take an action against us if we do not handle their data correctly?
Yes. An organisation is liable for the damage caused by processing that infringes GDPR. Someone who suffers damage as a result of infringement is given an express right of action under the regulation to receive compensation from the infringing organisation. The burden of proof is on the infringing organisation to prove that it was not responsible for the event giving rise to the damage. Vendors may have specific liabilities for their actions under the regulation, but the proverbial buck — or euro — stops with the data controller.
Is automation using AI and machine learning affected by this?
Yes. GDPR means that the data subject shall have the right not to be subject to a decision based solely on automated processing and profiling. As the world of AI and machine learning advances rapidly, more and more decisions are being made by computers. This legislation advances protection to data subjects from these type of decisions having a negative effect on them.
Interestingly, “e-recruiting practices” without any human intervention are singled out. Also specifically mentioned is profiling someone in order to analyze or predict aspects concerning their performance at work. As more and more software starts to incorporate algorithmic decision making based on machine learning, this has the potential to really slow down innovation in this space.
The last word
This is a new regulation and as such there are elements that are open to interpretation, and in the absence of precedence it can be difficult to give a black-and-white opinion. However, legal interpretation is relevant and can draw on previous experience of existing data protection regulations. If you’re concerned, then consult your legal adviser on the areas you feel may be applicable to your business.
If you’re interested in reading and understanding the actual regulations they can be found in full here: http://gdpr-info.eu/.