25/01/2018

Many experts now say that it is safer today to be a consumer in the European Union than in the United States. The truth is that the European institutions take personal data privacy very seriously, and proof of this is the European Union’s new General Data Protection Regulation, or GDPR. We will tell you the main lines of this document .

1. What is the General Data Protection Regulation?

The GDPR is a package of new legislative rules introduced by the European Union to make it easier for residents of EU countries to protect their personal data online. The regulation was officially approved on April 27, 2016 and will formally enter into force across the EU on May 25, 2018.

What data is covered by the General Data Protection Regulation?

Virtually all data pertaining to persons residing in the European Union. This includes not only official identity documents, but also information requested by websites, such as IP and email addresses, physical device information, home addresses, dates of birth, medical records and financial information, including online transaction histories.

The legislation also protects user-generated data, such as social media posts (including individual tweets and Facebook updates), as well as personal images uploaded to any website, including those without the image of the person who uploaded the image. 

Basically, the GDPR protects each and every user’s personal data on virtually every conceivable online platform. 

3. Why is the General Data Protection Regulation necessary?

Many European countries already have their own data collection and storage laws, but GDPR aims to protect user data more robustly and uniformly across the European Union by unifying existing data protection regulations in its 28 member states. It is of considerable benefit to companies trading in several EU member states, as the GDPR will replace any and all privacy and data protection laws currently in force in EU member states. 

4. What happens to companies that do not comply with GDPR? 

Non-compliance with the GDPR carries heavy penalties.

The first step in the process is a formal written warning, which may be issued to a company even in cases of unintentional violations; ignorance of the law does not exempt compliance. The next stage of punitive actions may force companies that violate GDPR to periodically undergo periodic data integrity audits to ensure compliance, which also means ceding access to potentially sensitive, confidential or proprietary information to an auditor.

For companies that have not yet taken the hint, firms that breach or violate any part of the legislative package after the initial sanctions can be fined up to €20 million or 4% of their turnover.

5. What counts as ‘pseudonymized data’ under the GDPR?

According to the GDPR, pseudonymized data is “anonymized data that is not identifiable or is no longer identifiable.” In essence, this means that any identifying information regarding an individual user must be completely removed from all stored or processed data so that the identity of a specific user cannot be revealed, not even to the company or authority responsible for anonymizing the data itself. 

The GDPR also protects information such as a person’s religious, philosophical or political beliefs, information about their sexuality or sexual orientation, membership in organizations such as trade unions, and genetic or biometric data, including fingerprints and DNA. Since all of this data is protected by the GDPR, the measures a company takes to pseudonymize its data must ensure that these data points are also completely deleted.

The main reason the GDPR text and recitals use the term “pseudonymized data” instead of “anonymized data” is largely one of pragmatism. It is very difficult to completely remove all identifying information about a user. Truly anonymized data is outside the jurisdiction of the GDPR, but since it is highly unlikely that many data controllers will be able to fully and completely anonymize their users’ data, the GDPR uses the definition of pseudonymized data.

What is “affirmative consent” in the context of the GDPR? 

Many marketers will already be familiar with the concept of affirmative consent, a principle that states that individuals must, for example, give their express permission to a company before it can add that person to a mailing list. This is the “opt-in” approach.

Under GDPR, affirmative consent laws will be strengthened. This means that companies will no longer be able to hide hidden clauses in long and detailed terms of service agreements or obscure their intentions through legal deception. The GDPR states that EU citizens must not only give their express permission before a company can process or store their data, but also that companies must provide EU citizens with clear and easy-to-understand opt-in processes that express how user data will be stored, processed or used.

7. What about affirmative consent for minors?

App developers, entertainment websites and other types of companies routinely handle data belonging to minors, and the GDPR has specific guidelines on how this data should be handled.

Affirmative parental consent is vital for collecting, storing or processing the personal data of EU citizens under the age of 13. Data recipients must be able to demonstrate that affirmative parental consent was granted upon request, and it is important to note that this consent can be withdrawn at any time, as in the case of consent to allow processing of adults’ personal information.