The entry into force of the European Union General Data Protection Regulation (the “GDPR”) is almost here. This means that within the next year, every online business, regardless of whether it owns a website, an e-commerce shop, a mobile application or some other form of electronic business will have to make its processes in conformity with the new European personal data protection rules.
The upcoming GDPR puts a wide range of, not only amended, but also new obligations onto businesses that process personal data.
Before getting into the essence of the obligations of website and mobile application owners, one has to not that from May 2018, every business, regardless of whether it is based in the EU or not, will have to comply with the 99 Articles of the new GDPR if it holds or processes the personal data even of one European citizen.
This means that the EU General Data Protection Regulation will apply to you even if you are a US, Singapore, Israel or an Australian business.
NEW GENERAL PERSONAL DATA PROTECTION OBLIGATIONS
Almost every website has a contact form. If you own such a website, this means that you process personal data (name, e-mail, etc. that is input through that contact form) and that you are a controller within the meaning of the GDPR.
A data controller must be able to demonstrate that the processing it performs or has been performing is compliant with the GDPR. This means that if your business is subject to an audit, you need to prove that your processing is in line with the new rules (principle of accountability). To do that, every business needs to implement a code of conduct or another kind of certification mechanism.
Another important obligations of controllers are the “privacy by design” and “privacy by default” concepts. What “privacy by design” requires is that the purposes, means and aims of the processing need to be established and outlined prior to commencement of the processing (in the planning phase of processing activities).
In addition, “privacy by default” requires that that controllers implements “appropriate technical and organizational measures” in order to guarantee that, by default, only personal data which is necessary for a specific purpose is processed. In other words, data collected and processed should not be excessive and should not be stored for longer than is necessary for the given purposes.
As mentioned, companies established outside the EU, to whom the GDPR is applicable, would have the obligation, as controllers, to appoint a representative established within the EU.
Controllers would also have to keep a detailed record of their data processing operations. It must be made available to the supervisory Data Protection Authorities (DPAs) upon request.
Online businesses will also have to appoint a data protection officer (DPO) if their data processing involves “regular and systematic monitoring of data subjects on a large scale” or where the business conducts large-scale processing of “special categories of personal data”.
In case you are not sure whether this applies to you, we will be happy to consult you on the need to appoint a DPO for your business.
NEW SPECIFIC OBLIGATIONS
As already mentioned, every business needs to set up appropriate technical and organizational measures in order to secure the personal data of their clients, users and customers. This may include different types of pseduonymisation or data encryption.
Another duty imposed on controllers is the “personal data breach” notification obligation. Businesses need to send a notification to the “competent” supervisory authority in case of a security breach (meaning a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed). Notice must be provided “without undue delay and, where feasible, not later than 72 hours after having become aware of it.”
There are also a number of obligations related to “high risk” data processing. Those will not be looked in depth, as rarely online businesses are involved in such types of data processing. We are nevertheless prepared to advise you on whether your processing activities include such kinds of data.
PENALTIES AND FINES
As previously discussed, non-compliance with the GDPR may be disastrous. Fines for business can reach €20,000,000 or 4 % of the annual worldwide turnover for the preceding financial year of the entire undertaking (including mother- and related companies).
Because of that, online business need to consider bringing their operations in line with the GDPR an important project and not leave this for the last moment, as it will call for considerable effort.
HOW TO COMPLY WITH THE GDPR
The first step towards GDPR compliance is determining whether you deal with the data of EU citizens.
If your online platform, whether it is a website, mobile app or desktop application, collects the personal information of even a single EU citizen, you need to comply with the General Data Protection Regulation.
Have a look at Facebook’s home page, and how they have done it.
And here is an example of a GDPR compliant mobile app. Netlix summarizes it perfectly.
Furthermore, you need to makes sure that you have a Data Protection Officer, that is, the person within your organisation, responsible for GDPR and data protection compliance. The DPO will be responsible for enacting measures and policies ensuring your compliance with the General Data Protection Regulation.