GDPR
The GDPR is coming, and Expense on Demand is here to help.
On May 25, 2018, a ground breaking new data protection law called the General Data Protection Regulation (GDPR) will enter into force in the European Union (EU). The GDPR expands the privacy rights granted to EU individuals and imposes many new obligations on organizations that trade in, track or handle EU personal data, regardless of where the organization is located. EOD is here to assist our customers in their GDPR compliance efforts through our robust privacy and security protections.
What is the GDPR?
The GDPR is a new comprehensive data protection law (in force since 25 May 2018) in the EU that strengthens the protection of personal data in light of rapid technological developments, increasing globalization and more complex international flows of personal data. It updates and replaces the patchwork of national data protection laws that currently apply with a single set of rules that are directly enforceable in every EU member state.
What does the GDPR regulate?
The GDPR governs the “processing” of data for EU individuals, which includes the collection, storage, transfer or use. Any organization that processes the personal data of individuals from the EU falls under the scope of the law, regardless of whether the organization has a physical presence in the EU. Importantly, under the GDPR, the term “personal data” is very broad and includes any information relating to an identified or identifiable natural person (also called a “data subject”).
How does GDPR change privacy law?
The key changes are the following:
- Expanded data protection rights for EU individuals, data breach notification and other security requirements for organizations, as well as customer profiling and monitoring requirements.
- The GDPR also includes binding corporate rules for organizations to legalize the transfer of personal data outside the EU and a 4% penalty on global revenue for organizations that fail to comply with GDPR compliance obligations.
- In general, the GDPR provides a central point of enforcement by requiring companies to cooperate with the lead supervisory authority on cross-border data protection issues.
Does the GDPR require EU personal data to stay in the EU?
While GDPR does not require EU personal data to remain in the EU, it does not impose any new restrictions on the transfer of personal data outside the EU, subject to certain provisions. At EOD, we still make sure that EU users’ data actually stays in the EU. Also read the MSA.
What EOD is Doing:
EOD welcomes GDPR as an important step forward in streamlining data protection requirements across the EU and as an opportunity for EOD to deepen our commitment to data protection. Similar to existing legal requirements, GDPR compliance requires a partnership between EOD and our customers when using our services. EOD will comply with the GDPR when providing our services to our customers. We also strive to help our customers comply with GDPR.
EOD’s Commitment to Data Protection.
At EOD, trust is our #1 value and nothing is more important than our customers’ success and the protection of our customers’ data. EOD’s robust privacy and security program meets the highest industry standards. Over the past few years, we have consistently reinforced our commitment to protecting our customers through our actions:
What Customers Should Do
- Get Buy-in and Build a Team
- Raise awareness of the importance of GDPR compliance with organization leaders
- Obtain executive support for necessary staff resources and financial investments
- Choose someone to lead the effort
- Build a steering committee of key functional leaders
- Identify privacy champions throughout the organization
- Assess the Organization
- Review existing privacy and security efforts to identify strengths and weaknesses
- Identify all the systems where the organization stores personal data and create a data inventory
- Create a register of data processing activities and carry out a privacy impact assessment for each high-risk activity
- Document Compliance
- Establish Controls and Processes
- Ensure privacy notices are present wherever personal data is collected
- Implement controls to limit the organization’s use of data to the purposes for which it collected the
data
- Establish mechanisms to manage data subject consent preferences
- Implement appropriate administrative, physical, and technological security measures and processes to detect and respond to security breaches
- Establish procedures to respond to data subject requests for access, rectification, objection, restriction, portability, and deletion (right to be forgotten)
- Enter into contracts with affiliates and vendors that collect or receive personal data
- Establish a privacy impact assessments process
- Administer employee and vendor privacy and security awareness training
- Document Compliance
- Compile copies of privacy notices and consent forms, the data inventory and register of data processing activities, written policies and procedures, training materials, intra-company data transfer agreements, and vendor contracts
- If required, appoint a data protection officer and identify the appropriate EU supervisory authority
- Conduct periodic risk assessments
GDPR: Fiction versus Fact
As you gear up your organization to comply with the forthcoming EU General Data Protection Regulation (GDPR), you may come across contradictory information about what the GDPR does — and does not — require.
One of the main challenges for organizations who are facing GDPR compliance is getting the resources to sort through the facts, and the fictions, of this new law. With that in mind, EOD has put together this guide to help clarify some common confusions around the GDPR and get you and your organization on the path towards compliance.
- Fiction: “Processing European personal data requires the consent of the data ”
Fact: Consent is only one of the legal bases one can use for the processing of personal data (Article 6(1)(a)). For instance, personal data can also be processed:
- when necessary for the performance of a contract to which the data subject (the individual whose data is processed) is a party;
- when there is a legal obligation to do so (such as the submission of employee data to a tax authority); and
- sometimes even on the basis of legitimate interests, such as commercial and marketing The legitimate interest must, however, outweigh any detriment to the privacy of the data subject.
- Fiction: “European personal data must be stored within ”
Fact: The GDPR does not contain any obligation to store information in Europe. However, transfers of European personal data outside the European Economic Area (EEA) generally require that a valid transfer mechanism be in place to protect the data once it leaves the EEA (Chapter V, Articles 44-50).
- Fiction: “The GDPR requires EU personal data to be encrypted at ”
Fact: The GDPR does not mandate specific security measures. Instead, the GDPR requires organizations to take technical and organizational security measures which are appropriate to the risks presented (Article 32(1)). Encryption at rest and pseudonymization may be appropriate depending on the circumstances, but they are not mandated by the GDPR in every instance. Despite not being mandated, EOD encrypts data at rest, which also includes dates.
- Fiction: “EU data subjects have an absolute right to have their personal data deleted upon ”
Fact: The right to have one’s data deleted is often referred to as “the right to be forgotten”. However, the right to be forgotten is not an absolute right. It has a limited scope and is subject to certain limitations (Article 17). In most cases, when considering a request for deletion several relevant factors have to be taken into account; this right will not apply, for example, if the processing is necessary for compliance with a legal obligation. However, data subjects do have an absolute right to prevent their personal data from being processed for direct marketing purposes.
- Fiction: “A data protection officer is mandatory for all companies subject to the ”
Fact: A data protection officer is only required by the GDPR when one of the following applies:
- the organization is a government institution;
- the organization processes certain sensitive types of data (such as data on health or religion) on a large scale as part of their core activities; or
- the organization systematically monitors people (for example, via cameras, or software which tracks internet behavior) as part of their core activities (Article 37(1)).
- Fiction: “The GDPR requires a data protection impact assessment for all processing activities involving EU
personal data.”
Fact: Under the GDPR, a data protection impact assessment (DPIA) is only necessary when it concerns high- risk processing of EU personal data, such as the following:
- large-scale processing of certain sensitive types of EU personal data, such as data concerning a
person’s health;
- systematic and extensive automated decision-making which produces legal or similarly significant effects on individuals, such as the use of fraud detection software; and
- systematic and large-scale monitoring of public space (for example, with cameras) (Article 35(3)).
- Fiction: “Profiling and automated decision making is prohibited under the ”
Fact: Profiling of EU individuals and automated decision-making involving EU personal data are not prohibited, but these processing activities may be subject to certain conditions. In particular, when decisions which legally or similarly significantly affect an individual are made automatically, the data subject:
- must be given meaningful information about the underlying logic, and about the significance and potential consequences for them; and
- must in some cases have the ability to require that a human being is involved in the process (Article 22(3)). A data protection impact assessment (see Myth 6 above) may also be
- Fiction: “If an organization is established outside the EU, the GDPR does not apply to its processing of EU personal data.”
Fact: Regardless of where an organization is established, the GDPR applies to EU personal data which is processed in the context of:
- offering goods and services (whether paid or not) to people in the EU; or
- monitoring the behavior of people in the EU, for example by placing cookies on the devices of EU individuals (Article 3(2)).
This document is a broad overview of some of the key aspects of the forthcoming EU General Data Protection Regulation (GDPR) and does not provide legal advice. We urge you to consult with your own legal counsel to familiarize yourself with the requirements that govern your specific situation.
- Expanded definition of “personal data”: The GDPR expands and clarifies the concept of personal data. While the basic concept of personal data largely remains the same, the GDPR makes it clear that location data and online identifiers, such as IP addresses, are considered personal data. The GDPR also expands the concept of sensitive personal data to include genetic data and biometric
- Expanded and new rights for EU individuals: The GDPR provides expanded rights for EU data subjects such as:
- Deletion: This right is sometimes referred to as the “right to be forgotten”. The data subject has the right to require that the Controller erase personal data about him/her in certain conditions, including if the personal data is no longer necessary for the original purpose of the processing or if the data subject withdraws consent for the processing. This right has been extended to the online world as a means to require internet service providers to delete out-of-date publicly available information, in particular that information which appears in search results.
- Restriction: Under the GDPR, a data subject has the right to obtain from a Controller a restriction on the processing of personal data in a number of circumstances, including if the accuracy of the personal data is contested by the data subject for a certain period of time. A restriction on processing means that the organization holding the data is entitled to continue to store it, but cannot process it any
- Portability of personal data: Data subjects also now have the right, in certain circumstances, to receive the personal data that they have provided to a Controller in a structured, commonly used and machine-readable
- Security measures: The GDPR requires Controllers and Processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented. At EOD, we have robust security measures in place that meet the highest standards in the industry, and these our outlined in our Security
- Breach notification: The GDPR requires organizations to report certain personal data breaches to the relevant data protection authority, and in some circumstances, to the affected data subjects. Controllers must notify the relevant data protection authority “without undue delay” (and where feasible, within 72 hours of having become aware of it), unless the breach is not likely to present any risk to the rights and freedoms of the data subjects concerned. If circumstances require it, Controllers may also be required to communicate the data breach to data subjects. Processors, for their part, are required to notify Controllers “without undue delay” after becoming aware of a personal data breach. EOD has covered these aspects in its
- Transparency: The GDPR requires that Controllers provide data subjects with information about their processing operations at the time when the personal data are This information includes the identity and contact details of the Controller, the contact details of the data protection officer (if relevant), the purposes and the legal bases for the processing of the personal data, the recipients of the data and a number of other fields to ensure that the personal data is being processed in a fair and transparent manner. In addition, Controllers are required to provide information to data subjects even in circumstances where the personal data has not been obtained directly from the data subject.
- Profiling: The GDPR introduces the concept of “profiling” or any form of automated processing that uses personal data to evaluate personal aspects and in particular to analyse or predict aspects relating to an individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Data subjects must be informed of the existence of profiling and any consequences of the EOD does not