GDPR: A Simple Explainer
When the General Data Protection Regulation (GDPR) came into force on May 25, 2018, it was perceived by many as a turning point in history of the European legal system. Many private users and businesses still don`t really understand how to act under this new framework and are rather scared, as noncompliance is mistakenly thought to lead to huge fines. Consequently, some companies prefer to limit their activities with EU clients rather than adjusting their mechanism of interaction with them. GDPR very quickly became one of those things, about which everybody has heard, but no one really knows how it works.
What does everybody know about GDPR? Apparently, there are huge fines for noncompliance, the client’s consent is needed for every step, and GDPR will eventually ruin one’s business. In actuality, things are not that dramatic or tragic. Let’s see what GDPR is really about.
A New Legal Framework
First of all, the General Data Protection Regulation was adopted and is different from of the Data Protection Directive of the European Union. The latter was a combination of legislative procedures that dictated desirable results without setting the means of achieving them. This means that the previous legal framework for data protection was not binding for all the EU states; rather, it was a set of recommendations for national governments about how to act in terms of data protection. If member states wanted these recommendations to be obligatory to the citizens, they would have had to enact local laws.
On the other hand, the new GDPR has a different character: it is an all-European law formulated by the European Commission. This means that it is binding for all member-states. There is no need for national governments to turn it into internal law, and all citizens of the EU have to obey it.
Aside from the EU citizens and EU companies, non-EU companies that offer their services to EU citizens either in one of the EU languages or in the currency of the EU member-states, or present their services and goods under European domains (e.g., .de, .pl) are obliged to follow the new Regulation rules. Examples are transportation and hotel services.
Principles of GDPR
There are six principles that drive this new framework. It is helpful to try to understand each of them, especially if you are required follow this new regulation.
1. Lawfulness and Transparency
You have to inform your clients about the purpose, the process and the method of how you manipulate their data. This can be realized through information pages that contain all details. They must be visible for users before they give their agreement concerning their personal data processing. For example, if you offer any services or goods to your users and want to collect information about them, you need to explain in detail what information you need, for what reason, and how you collect, process and store them. This may include either conventional information such as the name, age, email, telephone number, or not-so-obvious ones like IP-address, cookies, and geolocation. You have to explain the reason for collecting all of these data. The main purpose of this principle is to give individuals control over their personal data and make companies understand that 1) they are not the owners of such data, and 2) they can only use it for certain reasons and certain periods of time.
2. Purpose Limitation
When you decided that you need to collect certain data, you must be able to explain the reasons why you need them. Use of the personal data must be limited only by this purpose; collecting additional data and/or using them for another purpose will be considered a violation of the law and can lead, first, to a warning and then to fines. Moreover, don’t forget to inform your clients about your goals upfront, before they give you their consent. You can place this information on the info-page and drive the user’s attention to it. So, if you sell, for example, tickets for an event, you must only collect the data you need for this purpose. You must not offer any other goods or services to people based on your knowledge of their personal data and their preferences.
3. Data Minimization
Limited purpose goes together with limited data. Companies must only collect the minimal information needed for their operations and be able to defend their reasons for doing so. If you offer, for example, certain shipping services, you must ask only for information you need to know in order to deliver the goods to the customers (name, address, contact information) and not one data more. If you can solve any task without asking for personal information, then do so.
You must ensure that all the data you collected is accurate and up-to-date. You need to update the information regularly and check that it is still relevant and true. If your customers change their address, name or anything else, you have to change these records in your database as well. Therefore, you must make your clients aware about this option and inform them about the possibility to change their data, as well as when to delete it for good.
5. Storage Limitation
Once you have limited your purposes and the amount of data, you must limit the time you keep the data record. It must only be stored for a certain period of time and limited by the purposes for which it was collected. The data must not be used for any other reason. For example, if you own a hotel website and collect personal data needed for booking a reservation, you have a right to process this data only for this purpose. You must not send users info-letters not related to their reservation unless they have given their consent on these actions as well. If you offer single-use services, you must not use and store the users’ data longer than it is required.
This is an important principle that a company has to guarantee its clients. The new Regulation prohibits data transmission to any third-party. If you have collected certain information, you have the right to use and keep it as long as you need it for the fulfillment of the goals you collected it for. It is your responsibility to take all possible organizational and technical (e.g., pseudonymisation and encryption) measures to ensure this. This means that you have to decide how you will collect, process and keep the information securely. You must ensure that no one will get access to the data as physically as well as virtually.
There is a lot of confusion around the notion of consent, which is thought to be central for this Regulation. It has become a widespread myth that consent of users is necessary if you want to process their information. Many people think that it is the only basis for collection, processing and storage of the data. However, this is not the case every time.
Although consent is an important and innovative point of the Regulation, there are many other bases (precisely, six), which allow you to collect and process users’ information. For example, if you have a contract, which presupposes that you process the data of your clients in order to reach the goal of your agreement; or if the processing is necessary to protect someone’s life, you don’t have to ask for their special consent in these cases.
Now that the GDPR has already been in effect for four months, you have probably determined if your company has to abide by the new rules. As a next step, you should make sure that you understand them correctly and whether your actions correspond to them.
Before collecting any data, ask yourself if you can achieve the same task without collecting this data at all. If it is possible, then do so. According to the Regulation, it is desirable to reduce the amount of personal information collected to a minimum. If you have decided that it is impossible to deliver any service without collecting data, then align your actions according to the six GDPR principles.
Before processing, state what your lawful basis is (whether it is consent or any other). Do not change the basis or use it for another purpose (unless it is similar to the initial one or is based on further users’ consent). You should inform your clients about the purpose of your processing by creating an accessible and comprehensive privacy notice for them. In order to protect yourself, make the reading of such privacy notice unavoidable for users.
Then, when you are confident that you clearly understand your purposes for processing personal data and the lawful basis for it, make sure that it is transparent. This means that your clients can find all the information easily, understand your purposes for using them, and are aware that they have a right to update and delete all their data because they are the data owners. Take all possible technical and physical measures to protect your users’ private information and don’t keep it longer than required for the fulfillment of your goals.