The EU’s upcoming General Data Protection Regulation (GDPR) is a highly complex piece of legal text.
As such, it has raised a slew of questions and left businesses seeking guidance.
In order to tackle the complexity of this law, we decided to put our thinking cap on and unearth some of the answers. Now that we’ve done the groundwork, we’d like to share our three-piece article series with you, so you may get the lay of the GDPR land as well.
Part One addresses the basics, Part Two will explore the contents of the legislation, and Part Three will offer some practical business advice.
Let’s get started.
What is it?
The GDPR
The main actors addressed in the EU’s upcoming General Data Protection Regulation are organisations on the one hand and individuals on the other.
In light of this distinction we define the GDPR as an EU-wide legislation that outlines the organisational obligations and the individual rights as they pertain to the collection and processing of personal data.
Personal data
We will bring up ‘personal data’ over and over again. So, it’s best to lay down its definition at the starting line. According to the GDPR, personal data is any kind of information that relates to a natural person,
…by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What this definition really says is that if you can retrace a piece of information to a person, then that information qualifies as personal data.
The real buzzwords here are ‘re-identification’ and ‘big data’. Technology has evolved rapidly in the past few decades. Consequently, the capacity to process incredibly complex bundles of information has grown exponentially. By tying together anonymised data with other, seemingly unrelated datasets, it is now easier than ever to Hansel-and-Gretel our way back to the original data subject, i.e. person.
For example, you may give one of your phone applications access to your location. Your location may seem like an innocuous digital crumb. But combine it with a seemingly independent dataset, run it through a big data tumbler, and the jig is up. Your identity has been revealed.
Our example is admittedly over-simplified. Regardless, this phenomenon is called the ‘mosaic effect’, and in many ways it is like a much scarier version of Willy Wonka’s candy machine.
In fact, in 2000, Latanya Sweeney famously quantified just how simple it is to re-identify people in the United States using publicly available anonymised census data. In her paper she wrote that,
87% (216 million of 248 million) of the population in the United States had reported characteristics that likely made them unique based only on {5-digit ZIP, gender, date of birth}.
The point here is not to sound the alarm. But when almost anything qualifies as personal data today, it is important to understand how any attempt to narrowly define it can seem like locking the barn door after the horse has bolted. Which consequently means that even though anonymization and pseudonymisation are the go-to security measures of today, that will eventually have to change.
When is it?
The legislation will be enforced across all European Union Member States on May 25, 2018.
The law has been in the making for six years. If you’d like to dig a little deeper, we recommend checking out the legislative history here, or watching this documentary.
Where is it?
The law applies if the data subject is an EU citizen, or the data processor has an establishment within the EU.
Experts call this the ‘targeting approach’. In layman’s terms, the GDPR’s scope says that if you target an EU citizen, or you are on EU territory, then you will be targeted by the law. More succinctly, ‘if you target, you are targeted’.
The territorial scope renders the legislation quasi-global, which has far-reaching implications.
For instance, take a company that is headquartered abroad and has no establishment on EU territory. If an EU citizen visits the company’s online store in order to make a purchase, that may be taken as if the company had offered that EU citizen its goods or services. Should the company collect website cookies as well, then, in effect, they are engaging in the monitoring of that EU citizen’s behaviour. Both offering products and monitoring behaviour brings this non-EU company under the remit of the GDPR. Keep in mind, this seems to be the case even when it is the customer who actively seeks out a non-EU company.
Vice versa, the GDPR suggests that a company with an establishment within the EU who is processing the data of a non-EU citizen would have to abide by the GDPR.
As you can imagine, this territorial provision has stirred the pot quite a bit. Which is the reason why most businesses are expecting the EU to publish further specifications on the matter. We, too, are eagerly expecting to see some updated guidance.
For now, we recommend consulting Lexology’s entry on the topic and visiting the ICO’s website.
Whom is it for?
Controllers, processors, data subjects
The GDPR defines individual rights and organisational obligations as they pertain to the protection of personal data. It follows that the law addresses natural persons and business entities.
Businesses who collect and process personal data are defined as either controllers or processors.
Controllers determine the purposes and means for which personal data will be used, whereas processors carry out the processing on behalf of the controller.
EU Nations
Once the GDPR is officially enforced, all EU member states will have to comply.
The GDPR will come into effect before the UK’s departure from the European Union, which means that the UK will implement the GDPR along with all other Member States.
However, the GDPR will not be directly applicable once the UK leaves the European Union.
The UK will intend to fit international data transfers and service offerings into the EU framework even after the Brexit had taken place. To address the GDPR’s post-Brexit ‘expiration’, the UK government published its own Data Protection Bill (DPB) in September, 2017.
Coinciding with the GDPR’s implementation, the UK government will enforce the Bill as the Data Protection Act of 2018 (DPA). You can see the bill’s progress here and read more about its contents here. Apart from minor deviations, the DPA will conform to the high standards of the GDPR.
Why is it?
Reason #1: The current law is outdated.
The previous EU law, called the Data Protection Directive (DPD), was introduced in 1995. As it is with EU directives, every Member State had to adopt their own national version of the law. The UK’s version, the Data Protection Act (DPA), was enforced in 1998.
When you think about it, both the EU directive and the UK national law were implemented in an era where artificial intelligence, cloud computing, big data, social media, smartphones and tablets did not yet exist. In other words, the language of the current law isn’t fully applicable anymore.
Reason #2: The second ‘valid reason as to the whyness’ of the GDPR is that European nations see privacy as a social value.
The best way to illuminate this matter is to ask yourself, would I feel safe in a society where it was up to every individual to define what is morally acceptable and what isn’t? Historically, most people prefer some form of top-down guidance (aka legislature) on matters such as human rights, freedom of speech, ownership, etc. Hence, these notions are socially defined values.
Modern technology has brought our societies to an inflection point by making the collection, use and trading of personal data a cinch. Our current laws cannot adequately address the complexity and ease with which companies collect and barter with people’s data, and this has made societally defined data and privacy protection often unfeasible.
If you are curious to find out just how important privacy is to Europeans, let’s just say that the notion appears in most of our founding legal documents. ‘Privacy’, ‘personal data’, or ‘private life’ are referenced in the Universal Declaration of Human Rights (1948), the European Convention on Human Rights (1950), the Charter of Fundamental Rights of the European Union (2000), and the Treaty on the Functioning of the European Union (2007). In contrast, ‘privacy’ is not mentioned in the United States constitution.
Reason #3: The third reason behind the drafting of the law has to do with the inherent economic potential of a unified European online market.
EU legislators believe that a strictly regulated data market will help build better trust in online services. As a consequence, the EU hopes that scores of new customers and investors are going to jump on the online-services wagon.
It used to be that every member state had their own national data protection authority. Under the GDPR, there will be a single EU-wide authority. This Three-Musketeer-ish ‘one law, one authority, one market’ concept is called the Digital Single Market (DSM).
Because of efficiency measures such as having a single authority, the EU assumes that the GDPR will help lower administration costs by €2.9 billion per year. Unfortunately, cutting down on red tape isn’t all that straightforward. For example, the UK’s Ministry of Justice argued that the EU’s calculations were much too optimistic. Instead, they suggested that the net cost to UK businesses will be between £80 million and £320 million per year (in 2012-13 earnings terms). You can read the ministry’s report here.
The above question-and-answer section covers the most fundamental aspects of the GDPR.
You can also download our summary infographic here.
Hang tight, because in Part Two we will be looking at the contents of the legislation.