The European Union’s General Data Protection Regulation (GDPR) came into effect in May of 2018 bringing with it host of obligations imposed on any company with dealings in the EU. The GDPR is raising privacy expectations of companies worldwide. Indeed, several companies including Microsoft, intend to extend GDPR protections to their users globally. Google also just updated its privacy obligations for its applications offered through its online Google Play store. Finally, privacy advocates in Canada are now pointing to the GDPR as the example this country should follow.
In this post we examine the key provisions of the GDPR with a view to informing you of what companies may need to do to maintain privacy policies that are in compliance with companies like Microsoft and Google and are also perceived to be acceptable as the GDPR’s influence extends into the future.
Subject to limited exceptions, the GDPR requires an individual’s express consent as a necessary condition to the collection, use and disclosure of personal information. The GDPR also permits organizations to collect, use and disclose personal information based on the performance of a contract. The requirements are onerous. Consent must be by an affirmative act by the individual, cannot be bundled into a contract and must be separately given for each use of the personal information. Consent will also not be a valid there is a clear imbalance of power or if the company collects or uses more information than necessary to perform its contract.
The GDPR grants individuals the right to access and receive their personal data in a structured, commonly-used and machine-readable format and to allow them to send it to another data controller. The right to data portability applies regardless of whether an organization collects personal information on the basis of consent or to perform a contract with an individual.
Right to erasure
This GDPR right permits individuals to require organizations to “erase” their personal information in a number of circumstances. An organization will need to erase information if the personal information is no longer necessary for the purposes for which it was collected. If the individual withdraws consent and there is no other legal grounds for processing, the data must be erased. Moreover, where the data controller made the data public, they must take reasonable steps to inform other data controllers who have received it of the withdrawal of consent.
The GDPR contains strict data breach provisions. In most cases, data breaches will involve some form of unauthorized access including unauthorized data changes or destruction. The GDPR defines a “personal data breach” as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
Data breaches must be reported to the supervisory authority without undue delay – i.e. where feasible, not later than 72 hours after the organization becomes aware of it. Notably, organizations must only communicate a breach to an individual when there a high risk to their rights and freedoms.
GDPR Compliance is the Future
GDPR compliance is not just an EU issue. It’s adoption by leading global companies and forward-looking policies mean that companies who examine and incorporate its compliance into their operations now will be well served in their future dealings with other companies and an increasingly privacy-savvy public.