What is the GDPR?
The GDPR is a new comprehensive data protection law (in effect May 25, 2018) in the EU that strengthens the protection of personal data in light of rapid technological developments, increased globalisation, and more complex international flows of personal data. It updates and replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state.
What does the GDPR regulate?
The GDPR regulates the “processing” of data for EU individuals, which includes collection, storage, transfer, or use. Any organisation that processes personal data of EU individuals is within the scope of the law, regardless of whether the organisation has a physical presence in the EU.
Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”). How does GDPR change privacy law?
The key changes are the following:
1. Expanded data privacy rights for EU individuals, data breach notification and added security requirements for organisations, as well as customer profiling and monitoring requirements.
2. GDPR also includes binding Corporate Rules for organisations to legalise transfers of personal data outside the EU, and a 4% global revenue fine for organisations that fail to adhere to the GDPR compliance obligations.
3. does not require EU personal data to stay in the EU, nor does it place any new restrictions on transfers of personal data outside the EU subject to certain provisions. We at EOD still ensure that EU users data does indeed stay within the EU. Please also read the MSA.
What EOD is Doing:
EOD welcomes the GDPR as an important step forward in streamlining data protection requirements across the EU and as an opportunity for EOD to deepen our commitment to data protection. Similar to existing legal requirements, compliance with the GDPR requires a partnership between EOD and our customers in their use of our services.
EOD will comply with the GDPR in the delivery of our service to our customers. We are also dedicated to helping our customers comply with the GDPR. EOD's Commitment to Data Protection.
At EOD, trust is our #1 value and nothing is more important than the success of our customers and the protection of our customers’ data. EOD's robust privacy and security program meets the highest standards in the industry.
We have consistently reinforced our commitment to protecting our customers’ through our actions over the last few years:
What Customers Should Do
1. Get Buy-in and Build a Team
a. Raise awareness of the importance of GDPR compliance with organisation leaders.
b. Obtain executive support for necessary staff resources and financial investments.
c. Choose someone to lead the effort.
d. Build a steering committee of key functional leaders Identify privacy champions throughout the organisation.
2. Assess the Organisation
a. Review existing privacy and security efforts to identify strengths and weaknesses.
b. Identify all the systems where the organisation stores personal data and create a data inventory.
c. Create a register of data processing activities and carry out a privacy impact assessment for each. high - risk activity
d. Document Compliance.
3. Establish Controls and Processes
a. Ensure privacy notices are present wherever personal data is collected.
b. Implement controls to limit the organisation’s use of data to the purposes for which it collected the data.
c. Establish mechanisms to manage data subject consent preferences.
d. Implement appropriate administrative, physical, and technological security measures and processes to detect and respond to security breaches.
e. Establish procedures to respond to data subject requests for access, rectification, objection, restriction, portability, and deletion (right to be forgotten).
f. Enter into contracts with affiliates and vendors that collect or receive personal data.
g. Establish a privacy impact assessments process
h. Administer employee and vendor privacy and security awareness training.
4. Document Compliance
a. Compile copies of privacy notices and consent forms, the data inventory and register of data processing activities, written policies and procedures, training materials, intra-company data transfer agreements, and vendor contracts.
b. If required, appoint a data protection officer and identify the appropriate EU supervisory authority.
c. Conduct periodic risk assessments.
Fiction versus Fact As you gear up your organisation to comply with the forthcoming EU General Data Protection Regulation (GDPR), you may come across contradictory information about what the GDPR does --and does not -- require. One of the main challenges for organisations who are facing GDPR compliance is getting the resources to sort through the facts, and the fictions, of this new law.
With that in mind, EOD has put together this guide to help clarify some common confusions around the GDPR and get you and your organisation on the path towards compliance.
1. Fiction: “Processing European personal data requires the consent of the data subject.” Fact: Consent is only one of the legal bases one can use for the processing of personal data (Article 6(1)(a)).
For instance, personal data can also be processed:
a. When necessary for the performance of a contract to which the data subject (the individual whose data is processed) is a party;
b. When there is a legal obligation to do so (such as the submission of employee data to a tax authority); and
c. Sometimes even on the basis of legitimate interests, such as commercial and marketing goals. The legitimate interest must, however, outweigh any detriment to the privacy of the data subject.
2. Fiction: “European personal data must be stored within Europe.” Fact: The GDPR does not contain any obligation to store information in Europe. However, transfers of European personal data outside the European Economic Area (EEA) generally require that a valid transfer mechanism be in place to protect the data once it leaves the EEA (Chapter V, Articles 44-50).
3. Fiction: “The GDPR requires EU personal data to be encrypted at rest.” Fact: The GDPR does not mandate specific security measures. Instead, the GDPR requires organisations to take technical and organisational security measures which are appropriate to the risks presented (Article 32(1)).
Encryption at rest and pseudonymization may be appropriate depending on the circumstances, but they are not mandated by the GDPR in every instance. Despite not being mandated, EOD encrypts data at rest, which also includes dates.
4. Fiction: “EU data subjects have an absolute right to have their personal data deleted upon request.” Fact: The right to have one’s data deleted is often referred to as “the right to be forgotten”. However, the right to be forgotten is not an absolute right. It has a limited scope and is subject to certain limitations (Article 17).
In most cases, when considering a request for deletion several relevant factors have to be taken into account; this right will not apply, for example, if the processing is necessary for compliance with a legal obligation. However, data subjects do have an absolute right to prevent their personal data from being processed for direct marketing purposes.
5. Fiction: “A data protection officer is mandatory for all companies subject to the GDPR.” Fact: A data protection officer is only required by the GDPR when one of the following applies:
a. The organisation is a government institution;
b. The organisation processes certain sensitive types of data (such as data on health or religion) on a large scale as part of their core activities; or
c. The organisation systematically monitors people (for example, via cameras, or software which tracks internet behaviour) as part of their core activities (Article 37(1)).
6. Fiction: “The GDPR requires a data protection impact assessment for all processing activities involving EU personal data.” Fact: Under the GDPR, a data protection impact assessment (DPIA) is only necessary when it concerns high-risk processing of EU personal data, such as the following:
a. Large-scale processing of certain sensitive types of EU personal data, such as data concerning a person’s health;
b. Systematic and extensive automated decision-making which produces legal or similarly significant effects on individuals, such as the use of fraud detection software; and
c. Systematic and large-scale monitoring of public space (for example, with cameras) (Article 35(3)).
7. Fiction: “Profiling and automated decision making is prohibited under the GDPR.”
8. Fact: Profiling of EU individuals and automated decision-making involving EU personal data are not prohibited, but these processing activities may be subject to certain conditions. In particular, when decisions which legally or similarly significantly affect an individual are made automatically, the data subject:
a. Must be given meaningful information about the underlying logic, and about the significance and potential consequences for them; and
b. Must in some cases have the ability to require that a human being is involved in the process (Article 22(3)). A data protection impact assessment (see Myth 6 above) may also be required.
8. Fiction: “If an organisation is established outside the EU, the GDPR does not apply to its processing of EU personal data.”
9. Fact: Regardless of where an organisation is established, the GDPR applies to EU personal data which is processed in the context of:
a. Offering goods and services (whether paid or not) to people in the EU; or
b. Monitoring the behaviour of people in the EU, for example by placing cookies on the devices of EU individuals (Article 3(2)).
This document is a broad overview of some of the key aspects of the forthcoming EU General Data Protection Regulation (GDPR) and does not provide legal advice. We urge you to consult with your own legal counsel to familiarise yourself with the requirements that govern your specific situation.
1. Expanded definition of “personal data”: The GDPR expands and clarifies the concept of personal data. While the basic concept of personal data largely remains the same, the GDPR makes it clear that location data and online identifiers, such as IP addresses, are considered personal data.
The GDPR also expands the concept of sensitive personal data to include genetic data and biometric data.
2. Expanded and new rights for EU individuals: The GDPR provides expanded rights for EU data subjects such as:
a. Deletion: This right is sometimes referred to as the “right to be forgotten”. The data subject has the right to require that the Controller erase personal data about him/her in certain conditions, including if the personal data is no longer necessary for the original purpose of the processing or if the data subject withdraws consent for the processing.
This right has been extended to the online world as a means to require internet service providers to delete out-of-date publicly available information, in particular that information which appears in search results.
b. Restriction: Under the GDPR, a data subject has the right to obtain from a Controller a restriction on the processing of personal data in a number of circumstances, including if the accuracy of the personal data is contested by the data subject for a certain period of time.
A restriction on processing means that the organisation holding the data is entitled to continue to store it, but cannot process it any further.
c. Portability of personal data: Data subjects also now have the right, in certain circumstances, to receive the personal data that they have provided to a Controller in a structured, commonly used and machine-readable format.
3. Security measures: The GDPR requires Controllers and Processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks presented.
At EOD, we have robust security measures in place that meet the highest standards in the industry, and these our outlined in our Security Policy.
4. Breach notification: The GDPR requires organisations to report certain personal data breaches to the relevant data protection authority, and in some circumstances, to the affected data subjects.
Controllers must notify the relevant data protection authority “without undue delay” (and where feasible, within 72 hours of having become aware of it), unless the breach is not likely to present any risk to the rights and freedoms of the data subjects concerned.
If circumstances require it, Controllers may also be required to communicate the data breach to data subjects. Processors, for their part, are required to notify Controllers “without undue delay” after becoming aware of a personal data breach. EOD has covered these aspects in its MSA.
5.Transparency: The GDPR requires that Controllers provide data subjects with information about their processing operations at the time when the personal data are collected.
This information includes the identity and contact details of the Controller, the contact details of the data protection officer (if relevant), the purposes and the legal bases for the processing of the personal data, the recipients of the data and a number of other fields to ensure that the personal data is being processed in a fair and transparent manner.
In addition, Controllers are required to provide information to data subjects even in circumstances where the personal data has not been obtained directly from the data subject.
6. Profiling: The GDPR introduces the concept of “profiling” or any form of automated processing that uses personal data to evaluate personal aspects and in particular to analyse or predict aspects relating to an individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Data subjects must be informed of the existence of profiling and any consequences of the profiling. EOD does not profile any of the above.