In May 2018, when the EU General Data Protection Regulation (GDPR) becomes effective, the definition of “privacy data” will be widened substantially. The core of the EU GDPR is the concept of “personally identifiable data.” This should be interpreted very broadly as “data, which can identify a specific person.”
Apart from name, photo and email address, the new definition of personally identifiable data also comprises, among other things, bank data, social media posts, health information, and IP addresses.
Furthermore, the EU GDPR includes a special category of particularly sensitive data. This comprises, e.g., crime registry data, fines, biometric and genetic data, as well as personal profiling data as known from social media or targeted internet advertising based on cookies.
No complete list available
There is, however, no exhaustive list of what is considered personally identifiable data according to the EU GDPR, so, if in doubt, it is highly recommended to seek legal counsel.
The EU GDPR is also very restrictive, when it comes to businesses’ compliance to the new set of regulations, and non-compliance is subject to enormous fines. To be compliant, businesses must account for who have access to privacy data, and they must be able to document the processes and technologies for internal as well as external processing of such data.
As controller, a business using personally identifiable data is required to document agreements with third party suppliers (processors). In cases where a subcontractor uses services from other third party suppliers, the business itself, in its capacity of controller, will be responsible for ensuring compliance with the EU GDPR throughout the entire supply chain.
Requirements of active consent
One of the most important changes in the EU GDPR is the requirements for explicit consent from the person granting access to his or her data. Businesses must assure that the consent is active, meaning that the person actively decides what his or her data may be used for.
This implies an extended notification duty from the businesses to specifically inform what each data set will be used for. Also, the person giving consent must be able to withdraw consent at all times.
The EU GDPR entitles each citizen to have their data transferred between service providers. This could, for instance, be the case, if a person wishes to change his or her pension or telecommunications provider.
The EU GDPR will implement the “right to be forgotten” principle, which means that a person can demand that data concerning him or her to be erased or returned. If a business has transmitted the information to a third party, the business must communicate the request for erasure to the party where the data has been transmitted to. This means that businesses must be very well prepared and able to document the presence of personally identifiable data as well as the processing of this data.
Nevertheless, there are some exceptions to this principle. This could be data transmitted to public or tax authorities, which individuals are obliged to provide. Hence, it is advisable to seek legal advice to find out whether the business is obliged to provide such information.
Tight restrictions for data profiling
As a third example, we see the EU GDPR imposing quite tight restrictions for the automated processing of personal data profiling.
As a general rule, the business cannot make a decision concerning a customer based solely on automated processing of the person’s registered data. This may comprise data about a person’s private finances, health, personal preferences, travel patterns or data related to employment conditions or recruitment. Here, the businesses must have the person’s consent to make use of his or her personal data.
Omada’s approach to continuous compliance
As described, the EU GDPR severely challenges businesses as to their knowledge of which data is being stored, just as they must control and be fully aware of how this data is stored and processed.
This is no trivial task, and in many businesses, it will have a severe impact on the employees, working processes and technologies the businesses use for their processing of personal data. So, it is important that you start working on this task now.
At Omada, we help businesses get an overview and take charge of the personal data the business is storing, who is responsible for the data, which processes must be in place, and which technologies can keep the business in control of the data and secure compliance with the EU GPDR.
Omada has developed a guide that outlines eight steps to EU GDPR Compliance which helps businesses make sure they comply with all elements of the new regulation. This guide contains a number of steps, which we believe you must complete to ensure your business adheres to the new requirements and remains compliant going forward.
The guide is available free of charge by clicking here: “Prepare for the EU GDPR”