GDPR Compliance: Overview of Legal Requirements and Best Practices Summary
Clarip has compiled an extensive page of resources and analysis for the European Union General Data Protection Regulation (GDPR), including information about required disclosures, data mapping, DPIAs, consent and other lawful basis for processing, privacy by design, data subject access rights (DSARs), data protection officers (DPOs), data sharing agreements, breach notifications and other components of the European privacy law.
GDPR is currently the world’s leading data privacy and data protection law. The law went into effect in May 2018 after a two year grace period on enforcement. Companies have collectedly spent billions of dollars to improve their privacy practices to give EU citizens the privacy rights called for by the law.
Companies should find resources here targeted at every stage of the GDPR compliance journey, from businesses that are just starting out on their journey to those with mature privacy programs that are looking to maintain and improve their existing processes.
Overview / Summary of GDPR
With more than 55,000 words in the final version of the privacy law (including all of the recitals and articles), wading through it initially can be a time-consuming task. Here are a few resources that we have put together to make your initial foray into it easier:
Fines and Enforcement
GDPR provides for fines and penalties of as much as 20 million euros or 4% of global annual turnover (revenue). If your primary concern is the potential threat to your business from the data protection authorities (DPAs), the following information should prove helpful:
As part of GDPR, organizations must understand what data they are collecting, how that data is being used (processed), and who are the third-parties getting it from them. Data mapping is an important part of this process:
Risk Assessments / Data Protection Impact Assessments (DPIAs)
Every business should conduct risk assessments near the beginning of their privacy compliance effort to ensure that they understand the potential data privacy issues for their customers / users as well as the potential impact for those issues on their own business. These impact assessments should be performed again as necessary when there has been a change of circumstances or technology to ensure that the business understands and mitigates the privacy risks in its processes. The GDPR requires DPIAs in certain circumstances, but such assessments are generally considered a best practice in the privacy world:
Privacy by Design and Privacy by Default
GDPR asks organizations to embed concerns about privacy into their workflow from the beginning and establish default practices that protect user privacy. For more information about privacy by design and default in Article 25:
Transparency by organizations about their privacy practices is one of the core principles of GDPR. However, these disclosures can be a point of trouble for businesses as consumers don’t want to spend the time to read and understand them, complex technology makes it difficult to describe what is happening behind the scenes, and new laws require additional disclosures to promote accuracy while tasking businesses with making them more concise. Here are some of our discussions of privacy policies around GDPR:
Lawful Basis for Processing
There needs to be a lawful basis for all data processing of personal data under GDPR. For many organizations with personal data, that method will be user consent. However, there are other avenues for an organization to consider applying. We discuss them below:
One of the most flexible avenues to collect and process personal data under GDPR is consent. However, it is also one of the most rigid areas, with requirements concerning the manner by which consent is collected, the disclosures that are made, and the need to provide a mechanism to withdraw consent. Here are a few resources that we have written about consent under GDPR:
Subject Access Requests
GDPR puts control of data back in the hands of EU citizens (known as data subjects in the law). The law sets forth a number of rights, including the right to access their data, the right to correct inaccuracies, the right to be forgotten, and the right to data portability.
Data Protection Officers and Representatives
GDPR requires certain organizations to hire or appoint individuals to carry out certain tasks. Those requirements are set forth in Articles 27 and 37-39. For an overview of these requirements, check out:
Third Party Data Sharing, Vendors and Data Processing Agreements
A major area of concern in privacy is third-party vendors. GDPR requires data processing agreements that between data controllers and data processors to ensure that the mandates of GDPR are fulfilled. Here are a few pages that we have written discussing this important are of the law:
GDPR is more than a privacy law – it is also a data protection law. The law imposes steep penalties for the failure to adopt reasonable security practices and notify consumers and the authorities of data breaches within a reasonable amount of time, usually within 72 hours of discovery.
Accountability is another one of the core principles of GDPR. The principle is primarily set forth in the Article 30 documentation requirement:
There are some many aspects to GDPR that we could not possibly fit everything that we have written into the above buckets. We will put other interesting articles here:
Poland and Denmark Issue First GDPR Fines (covering Transparency and Data Minimization)
Poland and Denmark announced their first fines under the European Union General Data Protection Regulation (GDPR) as Data Protection Authorities are starting to exercise their new regulatory power in data protection. Although these fines don’t compare in size to the EUR 50 million fine of Google by France, they do signal that forced consent, the lawful basis of processing and the large tech companies are not the only areas of the new privacy law that the DPAs are investigating.
Dutch DPA Issues Policy on GDPR Fines
The Dutch Data Protection Agency (Autoriteit Persoonsgegevens) issued a policy on GDPR fines last week to bring additional clarity, guidance and standards to its decisions to levy fines penalties the European Union General Data Protection Regulation (GDPR). GDPR permits Data Protection Authorities to issue penalties of up to 4% of an organization’s global annual revenue (or up to 20 million euros, whichever is higher) for certain violations. However, the standard fines will be well short of that amount according to the ranges provided.
EDPB Issues Opinion on Intersection of GDPR and ePrivacy
The European Data Protection Board has published a 24 page Opinion of the Board under Article 64 on the interplay between the ePrivacy Directive and the GDPR. The opinion was adopted in order to ensure a consistent interpretation of GDPR throughout the European Economic Area. It was adopted during the Eighth Plenary session.
Dutch DPA Says No Cookie Walls Because of GDPR Consent
The Dutch Data Protection Authority Autoriteit Persoonsgegevens (“AP”) issued an interpretation of the General Data Protection Regulation (GDPR) declaring that websites must remain accessible for users refusing tracking cookies. AP also said it would intensify its compliance monitoring around cookie walls and had sent letters to some parties about their use of them.
German Antitrust Regulator: Facebook Violates GDPR
The GDPR data protection authorities are not the only organizations in Europe which are considering the data practices of large companies. The Federal Cartel Office (FCO or Bundeskartellamt) in Germany, which enforces German antitrust and competition law, has ordered Facebook to stop combining user data between its platforms, as well as the information gathered from third-party sources, without the voluntary consent of its users. In the Press Release, the FCO indicated it “closely cooperated with leading data protection authorities” and “Facebook’s terms of service and the manner and extent to which it collects and uses data are in violation of the European data protection rules to the detriment of users.”
CNIL Releases Data Sharing Guidance for Third-Party Marketing under GDPR – Requires Informed Consent
CNIL, the French Data Protection Authority (DPA), is becoming a driving force for changes in data privacy practices recently as it has released guidance requiring consent for the disclosure of personal data to third-parties for marketing purposes, as well as issued Google a GDPR fine for invalid consent and a lack of transparency.
France’s CNIL Gives Record GDPR Fine of $57 Million to Google
The National Data Protection Commission (CNIL) of France issued a record GDPR fine today (January 21, 2019) of $50 million euros today. The penalty was levied for a violation of (1) the obligations of transparency and information; and (2) the obligation to have a legal basis for ads personalization processing.
Prep for a GDPR Split via a No Deal Brexit
If your organization has not yet started preparing for a no deal Brexit and its implications for your organization’s data privacy practices, now is the time. As expected, the House of Commons in the UK Parliament has declined today to approve Prime Minister Theresa May’s Brexit deal with the European Union.
CNIL Warnings Providing Insight into GDPR Consent Management
Forced consent has been one of the biggest consumer complaints to data protection authorities (DPAs) since the European Union’s General Data Protection Regulation (GDPR), which went into effect at the end of May. Although there have yet to be decisions from a DPA about whether Google or Facebook are handling consent properly, CNIL has issued several warnings to smaller advertising or marketing technology companies that they suspect are using personal data in violation of GDPR.
Survey: Half of UK Small Business Owners Confused by GDPR
A survey of UK small businesses by a provider of cyber insurance has identified a number of concerning areas in the data protection practices of small businesses. 1,000 owners of small businesses were polled on data protection and privacy regulations (such as the several months old General Data Protection Regulation (GDPR)).
Will 2019 Be the Year of GDPR Enforcement & Finalization of the ePrivacy Regulation?
The Data Protection Commissioner for Ireland said that there would not be major GDPR fines in 2018 but it is safe to expect some in 2019. The chair of the European Data Protection Board said that there were 14 cross-border enforcement cases happening now but they were complicated and resolution would take “months”. The CNIL Director of Rights Protection and Sanctions Directorate reportedly warned that the the transition into GDPR “is coming to an end” and there will be action with “teeth”.
More DPAs Issuing GDPR Fines and Warnings
CNIL Warns Adtech Startup Vectaury Over Consent; German Regional DPA Fines Social Media Platform Over Data Breach.
Survey: 88% of Irish Businesses Optimistic About GDPR Compliance
A survey of Irish businesses released this month by Mazar and McCann Fitzgerald provides additional benchmarking data for companies closely following developments in the months after the May rollout of the General Data Protection Regulation. The online survey of senior employees in compliance and data protection at Irish businesses was conducted during October 2018. The survey captured a cross section of businesses according to number of employees, business sector and industry.
EDPB Releases Guidelines on Territorial Scope of GDPR
The European Data Protection Board (EDPB) has released its guidelines on the territorial scope of the General Data Protection Regulation (GDPR) for public consultation. The guidelines seek to clarify the application of GDPR to controllers and processors that are not located in the European Union (EU) and the scope of the privacy laws extraterritoriality.
Dutch Question Microsoft Over Office Data Telemetry Collection Violations under GDPR
The Netherlands Data Protection Authority has found that Microsoft Office is in violation of eight regulations in the European Union’s General Data Protection Regulation (GDPR), according to recent media reports. The concerns center around the built-in telemetry data collection mechanism of the product in ProPlus subscriptions of Office as well as the web-based version of Office 365.
Austria Issues First GDPR Fine
The Austrian Data Protection Authority has, according to reports, issued its first fine under GDPR against an entrepreneur with a CCTV camera in front of his establishment. The violations involved unpermitted large scale monitoring of public spaces as well as the failure to meet the applicable transparency obligations. The amount of the fine was EUR 4,800.
Privacy Complaints Up in France after GDPR
France reported a 64% increase in privacy complaints after GDPR went into effect on May 25th, according to the French data protection agency CNIL this week. CNIL has received 3,767 complaints under GDPR compared to 2,294 during the same period last year. According to CNIL, the increase over what was already a record year last year suggests that EU citizens have seized on the privacy rights provided by GDPR.
ICO Threatens Max GDPR Fine to AggregateIQ
The United Kingdom Information Commissioner’s Office has given AggregateIQ thirty days to cease processing of certain personal data or it will be subject to a penalty up to the maximum 4% fine under the European Union (EU) General Data Protection Regulation (GDPR). If the maximum fine was issued based on its annual global turnover, it would be 17 million (approximately $22.4 million USD).
ULD DPA Issues Ban on Data Processing Under GDPR
GDPR has been used to issue a ban on data processing by Unabhängiges Landeszentrum für Datenschutz (ULD) in Germany’s Schleswig-Holstein, according to a report in IAPP’s Privacy Advisor. Although the IAPP article details why the first GDPR fines could still be months away, the fact that the DPA of the German state used this remedy should be of note for companies and other organizations. The case involved webcams on the internet that failed to comply with data protection laws, both before and after the General Data Protection Regulation went into effect on May 25th.
Data Privacy Complaints Double in UK under GDPR
The Information Commissioner’s Office (ICO) in the United Kingdom has reported that complaints to its office have doubled since GDPR went into effect in May. According to the information recently released through a FOIA request, there were 6,281 complaints to the ICO between May 25 and July 3, while last year there were only 2,417 complaints during the same period.
Study: GDPR Increased Cookie Banners and Privacy Policies
Survey: Only 35% of Companies Can Show GDPR Compliance
A new Deloitte poll of nearly 500 professionals found that only 34.5 percent of the respondents thought their organization could defensibly demonstrate compliance with the European Union (EU) General Data Protection Regulation (GDPR). Around 1/3 of the respondents hope to be compliant by the end of 2018. That still leaves a significant percentage of companies that are going to test the data protection authorities or simply don’t have the internal budget or resources in order to achieve compliance. Around 12 percent of the respondents said that they were taking a wait and see approach to full compliance.
German DPA Circulates GDPR Compliance Survey
The Data Protection Authority for the German state of Lower Saxony sent out a survey on GDPR compliance to 50 companies under its jurisdiction at the end of June. The primary purpose of the survey, according to the head of the Lower Saxony DPA, is to gauge awareness of data protection and GDPR. The survey asks the companies a number of questions about their GDPR preparations and actions.
5 GDPR Challenges for Retailers from the NRF
How does GDPR apply to retailers with storefronts, websites, mobile apps and other means to sell products to consumers? We just discovered the 14 page report titled “Retail Approach to Implementing Critical Elements of the GDPR” which was published by the National Retail Federation and EuroCommerce in May which provides insight into this issue. The report is a discussion document for the global retail industry issued by two of the world’s largest retail trade associations. The National Retail Federation is the world’s largest retail trade association representing companies in the United States and 45 other countries. EuroCommerce is the principal organization representing the retail and wholesale sector in Europe with national associations in 31 countries. The accompanying press release indicates that the paper will be shared with the data protection authorities in the 28 EU member states.
If you would like to see a demo of the Clarip software to enhance your GDPR compliance efforts, call 1-888-252-5653.
Still learning about privacy? We have also compiled a great guide to the California Consumer Privacy Act.