In the first post of our European Union (EU) privacy law series, we talked about who the new EU General Data Protection Regulation (“GDPR”) rules apply to. To put it briefly, the new rules apply to any business in the world (including the U.S.) that stores or otherwise uses any identifying personal data of any individuals in the 28 countries that make up the EU.
The GDPR is a tremendously lengthy and complex set of rules, laid out in 99 separate articles. This post is a brief summary of the types of actions that are prohibited by the GDPR.
Customers Must Opt-in To Having Their Personal Data Processed
Prior to the GDPR, there was a general approach to personal data collection that a person needed to “opt out” of a company storing or using their data, such as by writing to the company to ask them not to use their data.
Under the new rules, companies must get the person’s consent – in other words, the customer must “opt in” – prior to the company processing their data. This consent must be obtained using clear, easily understandable language.
Businesses Must Inform Customers Why Their Data Is Being Processed
Simply asking customers if you can store their data is not enough. Under the new rules, the customer must know the purposes for why their data is being collected. If a business stores a customer’s address so it can send deliveries, the customer should be informed of that purpose. The company cannot, however, use that address for another purpose outside of the consent, such as selling it to a third party, without first obtaining additional consent.
Individuals Must Be Informed of the Transfer of Their Data
Similarly, if the personal data of a customer, employee, or other individual is transferred outside of the EU, the customer must be informed of this, and it cannot be done without their consent.
Individuals Must Be Informed of Automated Decisions Based on Their Data
When a business employs an automated process to make a decision about an individual (for example: using an algorithm to determine whether a person should receive a loan) the individual needs to be informed of the fact that an automated process was used and be given a chance to contest the decision.
Individuals Now Have a “Right to Be Forgotten”
If an individual asks a business to remove all personal data relating to him or her, including any information that could be decrypted to identify the person, the company must promptly do so to honor the individual’s “right to be forgotten” under the GDPR.
Even if a person does not request that the company erase the data, the company must still erase an individual’s personal data when it is no longer of legitimate use to the company.
Businesses Must Provide Individuals With Information About Data Processed
If an individual asks a company for a copy of what personal data it has collected or stored on him or her, the company must give that person the information requested.
Users Will Have a Right to Have Their Data Transferred
Under the new law, an individual can request that a company holding his or her personal data transfer that data to another company, as could be the case when a person decides to leave a social media site for a new social media site.
Businesses Must Protect Data and Promptly Inform Individuals of Breaches
The new rules also provide strong mandates for companies to protect personal data – whether in digital form or old-fashioned paper files – to prevent theft. In addition, companies must promptly notify individuals of data breaches relating to their personal data.
Companies for whom personal data processing is a key aspect of their business, such as digital marketers and online retailers, should ideally have a compliance professional either in-house or as a consultant to gain a comprehensive understanding of the GDPR requirements, but any company that even stores the single name of an EU resident in an office registry needs to have at least a basic understanding of what the GDPR mandates. Contact The Fried Firm for a consultation to determine if your business needs to adhere to these new GDPR requirements.
In our final post of this series, we will look at the penalties companies in the U.S. face for violating the GDPR, which was made effective as of May 25, 2018, and what types of actions they should take to protect themselves. Stay tuned!