Here's What You Need to Know About GDPR

The clock has struck midnight in Helsinki, which means GDPR is in effect! All organizations that are not fully compliant will soon be visited by Viktor Orban's shock troopers.

Nah, just kidding :)

GDPR has gone live, but there's no need to panic if you're not in compliance. Read on to learn why you can exhale, and what you should do next!

As you might already know, the General Data Protection Regulation was enacted by the European Union to guarantee stronger privacy and transparency rights for users, and to ensure that organizations don't abuse their users' data rights. Though it was enacted by the European Council, the implications of GDPR extend far beyond the Schengen Area. Under its purview, the following classes are protected:

• European citizens
• European residents
• Tourists in Europe
• The band Europe
• The band Asia¹
• People of European descent
• People who pronounce it "Barth-a-lona"

(I made up the last two, but still - GDPR is more inclusive than a Sarah Lawrence drum circle.)

While at least some of your users likely fall under one of those categories, there’s no need to freak out if you’re not currently compliant. Yes, the fines are intimidating (up to €20 million or 4% of worldwide annual revenue, whichever is greater), but here are a few caveats to consider:

• GDPR was designed with Google and Facebook in mind, and the initial targets will be data-heavy giants like them.
• Of the 28 nations affected by the Agreement, only four² have stated they will be ready to undertake compliance supervision as of May 25th.
• GDPR empowers supervisory authorities with 10 corrective measures by which to address an organization’s non-compliance, and fines will likely be saved for the most egregious violations committed by repeat offenders. For initial violations, it is far more likely that the supervisory authority will issue a warning than a fine.³

So, there’s no need to panic if you're not yet GDPR-compliant, but it would behoove your organization to start the process right away. Enforcement from Europe will arrive eventually, and the consensus among data privacy experts is that similar laws are on the horizon, both globally and here in America (especially if the Dems win back Congress this November).

To ensure compliance we recommend you consult with your legal counsel, and it couldn’t hurt to read the full 261-page Agreement. Well, we suppose it could hurt your eyes, but that’s what interns (and their taut, yet malleable corneas) are for!

Anyway, before you call in the lawyers or the twenty-somethings, here are a few top-line items to keep in mind:

Special Categories of Data

In addition to guaranteeing protections for general personal data, GDPR deems the following classes of data as “Special", which trigger additional requirements:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade-union membership
• Health, sex life, and sexual orientation
• Genetic data or biometric data
• Criminal convictions and offenses

Read more about Special Categories: Article 8, Article 9, & Article 10

Internal Requirements

Foremost, GDPR requires that organizations implement the following major internal changes:

1. User Agreements and Obtaining Consent Probably the most visible impact of GDPR is the directive that organizations be up-front with their users regarding how, when, and why their data is processed and handled. Among other things, GDPR demands that organizations not bury the actual terms of consent deep in Privacy Policies, nor obfuscate the terms with intentionally confusing legalese. Additionally, vague statements like, “Our organization reserves the right to use your data in any way we see fit…" are no longer considered acceptable. Read more about updating user agreements and obtaining consent: Article 12
2. Data Protection Impact Assessments This requirement applies to organizations that engage in data processing that is "likely to result in a high risk to the rights and freedoms of natural persons". In short, these organizations must conduct thorough risk assessments of all their data processes and procedures. These assessments will be arduous to complete, so a generally wise practice is to ask yourself: “Do we even need this data?”. If the answer is "No", it is likely in your best interest to stop collecting it. Read more about DPIAs: Article 35
3. Breach Notifications GDPR stipulates that users must be notified within 72 hours of the discovery of a data breach. Specifically, that 72-hour window starts the moment a breach is noticed by ANY party. Hence, if a 3rd-party vendor discovers a breach on Monday at 10:00 AM, but doesn't notify the client until Wednesday at 5:00 PM, the client will have only 17 hours to notify its users.⁴ Read more about Breach Notifications: Article 33
4. Records Management / Retention Schedules GDPR stipulates that an organization can only keep personal data for as long as it has a lawful and business-related reason to do so. For practical purposes, this means that if a member has lapsed or "gone silent", the organization must obtain explicit consent to continue marketing to that user. The early consensus seems to be that an acceptable window is two years,⁵ so starting May 2020, best practice would dictate that organizations seek explicit consent before continuing to market to individuals who have demonstrated no activity since GDPR went into effect. Likewise, organizations should update all retention schedules to match this two-year standard.

Naturally, the Agreement encompasses many more topics than what I have described above, but these should be among the first items you consider as you embark upon your GDPR Compliance Journey! Huzzah!

Conclusion

You don’t need to lose sleep over GDPR, but now is the time to start the process of making your organization compliant. Supervision won’t start in earnest for at least several months, so be skeptical of alarmists and opportunists. Take a pragmatic, measured approach to becoming GDPR compliant, and you’ll never have to worry about Viktor Orban’s shock troopers knocking down your door.⁶

PS: Because I find it interesting, allow me to end with a few special notes about Switzerland and Greece:

Switzerland

• GDPR applies to the 28 member nations of the EU, but not (yet) to the other nations in the European Economic Area.⁷
• GDPR does not apply to Switzerland, so any secret Swiss bank accounts designed to cheat the US government will not be affected.⁸
• Relatedly, any illicit financial relationships you may have with corrupt officials at FIFA or the IOC may be resumed without updating a Privacy Policy or appointing a Data Protection Officer.⁹

Greece

• While there is still some uncertainty regarding how fines will be assessed and collected, I have personally confirmed that fees will NOT be deposited in the Bank of Greece. Alas, it appears GDPR will not be the financial savior that nation so desperately needs. Nope, it's austerity for Athens from here until oblivion.
• Opa!

Footnotes

1. They're actually from England. The band Europe is from Sweden. [back]
2. Austria, Belgium, Germany, and Slovakia. Source: International Association of Privacy Professionals (Apr 24, 2018) [back]
3. Source: Dentons (Feb 23, 2018) [back]
4. Note: Spinutech would never do this. Our internal policy dictates that upon discovering a breach, the second action is to call the client. The first action is Dave stands on his desk, yells "THERE'S BEEN A BREACH!", and then blows the Horn of Helm Hammerhand.¹⁰  [back]
5. Source: DMA advice: Data retention (2017) [back]
6. Unless you criticize that tyrant in the Hungarian press. Then all bets are off. [back]
7. Iceland, Liechtenstein, and Norway [back]
8. Note: Spinutech does not endorse tax evasion, money laundering, or generally any services the Swiss banking industry offers. 
9. Ahh Switzerland: The Qatar of Europe 
10. Note: We've never had to do this, but rest assured: Dave is ready. 

About the author: Though Jack did watch a lot of Law & Order growing up, and though he IS aware that Suits was a thing (Thanks Meghan Markle! You looked fabulous at the Royal Wedding!), he is neither an attorney nor a legal expert. To ensure full compliance with the General Data Protection Regulation, Spinutech encourages organizations to consult with their legal teams.