We looked at the broad implications of the GDPR in our previous article, but it takes a deeper understanding to become truly GDPR compliant. This article provides additional information on some of the more important aspects of the GDPR.
How Does the GDPR Define 'Personal Data'?
The GDPR defines personal data as any information that can be used to directly or indirectly identify an individual. That includes things like names, photos, email addresses, banking information, social media activity, medical information and IP addresses.
How Can Organizations Determine Whether the Law Applies to Them From a Geographical Standpoint?
All organizations operating inside the EU are required to comply with the law. Organizations with no physical presence in the EU must comply if they:
- Sell or market goods or services to EU citizens (regardless of where they live) or current EU residents.
- Employ EU citizens.
- Monitor the behavior of EU citizens or residents.
- Collect, process or hold the personal data of EU citizens or residents.
The number of EU citizens or residents affected is not a factor. In other words, there is no minimum threshold. If even a single individual’s data is involved, the law applies.
In addition, third-party processors and controllers who work with the personal data of EU citizens and residents may have additional GDPR obligations, regardless of physical location. And outsourcing to a third-party processor outside of the EU doesn’t absolve a company of its own GDPR obligations.
As a consequence, there are few cases where GDPR would not apply. The fact that a company subcontracts the personal data processing to another company (even outside the EU) is irrelevant as soon as this company deliver products or services to European citizens.
Editor's Note: This is the second in a four-part series. The next installment will examine how businesses who haven't taken any steps yet can start preparing for the regulation. Read more of Auvray and Podnar's thoughts on the GDPR in this free whitepaper.
How Can Organizations Determine Whether the Law Applies to Them From a Functional Standpoint?
The technical answer is that you need to know whether you’re a processor and/or a controller as defined by the GDPR.
- Controllers store personal data. A payment platform like PayPal is a good example.
- Processors use that data for a specific purpose but don’t store it once that purpose has been achieved. One example would be people who sell things online and use PayPal to process payments. They use a buyer’s information for shipping and payment purposes but don’t store that data after the transaction has been completed.
Organizations who process payments in-house rather than outsourcing them to a third-party provider may play the roles of both processor and controller. But keep in mind that, even when organizations do outsource one or both of those roles, that doesn’t absolve them of the responsibility to be compliant. Moreover, the company in charge of the personal data processing (defined as a “processor” by the GDPR) has additional obligations with regard to its customer:
- Provide guarantees that the way you process the personal data meets GDPR requirements.
- Provide guarantees that the way you protect the related personal data is aligned with current security standards.
- Provide assistance and advice to customers that may be non-compliant.
- Alert customers in case of a data breach.
On a practical level, it’s difficult to imagine a business that, in today’s digital economy, wouldn’t be covered by the GDPR from a functional perspective. Even public institutions, agencies, and associations are part of the GDPR scope of application.
Is User Consent Always Mandatory or Are There Exceptions?
As we already mentioned, starting on May 25, companies will be able to collect prospect or customer data:
- By getting the explicit consent from the prospect or customer; or
- If the data collection is required in order to fulfill a contract established with the individual; or
- As long as the organization has legitimate interest.
The first two scenarios are quite well understood but the third one — legitimate interest — is far more complex. A company can collect and use data without the consent of the individual if the purpose of the processing is based on a legitimate interest. But what does that really mean?
The GDPR indicates that any one of the following three instances allow a company to collect and process data without consent or contract.
The company would be placing itself at risk if it did not collect or process the personal data for its own business purposes. For example, the data is transferred within the organization for internal administrative purposes. Or, the organization collects and uses the data for cyber security purposes.
The GDPR also indicates that an organization may use the data if it is proof of a crime, breaking of a legal obligation, or in the interest of greater or national security. Of course none of these reasons are justified if they limit or take away people’s basic rights or freedoms.
The company has collected data from an individual for reasons where that individual could reasonably expect the data will continue to be used or is processed.
The company has an already existing relationship with the individual, such as that of a customer or an employee, and therefore is continuing to direct market or contact the individual because of that pre-existing relationship. In fact, the GDPR explicitly says that “The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."
This should be interpreted as consent to receive marketing or commercial offers from existing customers for similar goods or services and that consent is not required to do so. But the company still must provide a way for the individual to refuse the marketing or offers, or to opt out.
It is easy to look at the legitimate purpose rule and continue existing marketing or communications activities. However, keep in mind that some existing European countries have laws in place that supersede this specific rule. For example, France has its own data protection law known as the Commission nationale de l'informatique et des libertés (CNIL), and an organization would be out of compliance with the law if it were to follow this “existing relationship” legitimate use scenario.
Should you have any doubt, what you should better do is simple:
Consider that consent is king.
Does the Law Affect B2B Companies Differently Than B2C Companies?
There is a difference in the level of consent required to collect, store and use personal data. The GDPR requires B2C companies to get specific consent to store a person’s data or to communicate with them beyond the initial transaction (such as to send them marketing emails). B2B organizations, on the other hand, don’t have to obtain explicit consent from other businesses. They merely need to make it easy to opt out of receiving further communications.
They do, however, have the same obligations as B2C organizations when it comes to the personal data of an individual employee of that company. For example, if the purpose of your business is to manage personal data on behalf of your customer, or if you are delegating that processing to another company, even though that contract could be considered as a B2B one, the substance of the relationship involves processing personal data. Therefore, each company will have to respect B2C obligations mentioned in the GDPR.
Are Any Categories of Personal Data Exempt From the Law’s Requirements?
Yes. The GDPR does not apply to personal data that you’re legally required to retain for specific purposes. This includes things like employment records, tax records, records pertaining to legal actions, records of loans and mortgages, etc. Basically, personal data in records that you are legally required to maintain is exempt from GDPR regulations as long as it’s used for those purposes only. You can’t extract personal information from mortgage applications and use it to communicate with applicants for unrelated purposes, for example.