Today is the day! Companies around the world have had two years to prepare for implementation of the General Data Protection Regulation, the comprehensive legal regime with the self-stated goal of putting the European Union at the forefront of safeguarding individuals’ data privacy rights. Well, now that GDPR is finally in effect, we can safely assume that every company that may be impacted by it has performed a full analysis of applicability and has a complete grasp of all 99 of its Articles…right?
For all of the buzz and media coverage of GDPR, business leaders can be forgiven if they’ve missed or misunderstood some of the finer points embedded within the voluminous text of the regulation. Even the guidance issued by regulatory bodies like the EU Commission, Article 29 Working Party, and UK Information Commissioner’s Office acknowledge that there is ambiguity in some of the provisions of GDPR. Of course, it goes without saying that it’s better not to be surprised by GDPR’s various requirements and exceptions, so here are five aspects of GDPR that every corporate data steward should keep in mind:
- The right to be forgotten is not absolute. As with consent, the right to erasure has emerged as a bogeyman of sorts for companies concerned with maintaining access to data critical to their businesses. Some may worry that GDPR will force them to delete all of an individual’s data immediately once such a request is made. In reality, Article 17 of GDPR states that immediate erasure is required only on certain grounds, such as when the data is no longer necessary for the purposes for which it was collected or if it was collected unlawfully in the first place. GDPR also allows important exceptions to the right of erasure. Among them: when EU member state laws specify the retention of data to meet legal obligations, and when data processing is necessary for the sake of freedom of expression — for instance, newsworthy information published by a journalistic outfit.
- There’s a difference between legal representatives and data protection officers (DPOs). GDPR creates a need for new roles inside and outside organizations, and there’s been some confusion as to whether two of these roles are one in the same: legal representatives and data protection officers. In fact, these roles are distinct. Here’s a quick breakdown:Data protection officers are required under Article 37 for certain companies that monitor individuals on a large scale or perform large-scale processing of certain categories of data. A DPO is an individual that can be a company employee or an external professional and is charged with essentially functioning as a watchdog: he or she reports to the highest levels of the company and conducts internal investigations when concerns or complaints arise about how the company manages data. The DPO is charged with remaining independent of the company when investigating these complaints and cannot be fired by companies in retaliation for performing his or her duties.Legal representatives are required under Article 27 for certain companies based outside the EU that process data subject to GDPR. These representatives, which may be individuals or separate entities, act as liaisons to data protection authorities. When a European regulator wants to get in touch with a company about a data breach or other issue, they call the representative. That representative, as the name suggests, is charged with representing the interests of the company.Both roles require a thorough understanding of a company’s data practices, but the key duties of each differ and, ideally, should be fulfilled by different people/entities, to prevent a conflict of interest.
- Rules governing data portability may create uneasy cooperation between competitors. Under Article 20, companies must provide a person his or her personal data in a structured, commonly used, machine-readable format so long as the data processing was automated in the first place. At the person’s request, a company must also transmit the data to another company, meaning that a consumer could conceivably ask a business to transfer his or her data to a competitor. For instance, a person using a wearable fitness tracker could decide to switch to a different product and essentially order wearable vendor A to provide information on the person’s heart rate patterns, sleep cycles, and more to wearable vendor B. Where the hassle of transferring data may have previously made a customer hesitate to switch products or vendors, now switching may be more seamless than ever. While that may be welcome news for consumers, businesses should be aware of the potential impact to their bottom line.
- Specific employee data privacy rules may apply. GDPR applies to both a company’s individual customers and its employees. But for EU-based companies, GDPR is just a baseline for employee data privacy protections — Article 88 permits individual member states to set their own, more far-reaching rules governing employee data privacy (such as the employment-specific rules in Germany’s Federal Data Protection Act).For companies with no offices or employees in the EU and not offering goods or services to the EU, complying with the employee data privacy rules of GDPR isn’t something they typically have to worry about… . . . unless those employees travel to the EU. Here’s where it gets tricky: If a company is collecting data on the behavior (e.g., location) of its employees while those employees happen to be visiting EU member states, the processing of that particular data is arguably subject to GDPR under Article 3(2)(b). How closely regulators will be holding non-EU businesses accountable for following GDPR in such specialized cases is not completely clear, but being aware of this issue could be worthwhile for companies with employees who frequently travel to Europe.
With a better understanding of GDPR, businesses have the opportunity to focus their attention on issues that matter most and proactively address complications before they evolve into real problems.