Fines of up to €20 million will be imposed on businesses if they will not be able to comply with the new General Data Protection Regulation or GDPR. Almost every company will have to comply with this EU legislation entering into force on the 25th of May 2018, even if it has only offline activities. To learn more about different aspects and consequences of the General Data Protection Regulation, CEO of “The Loupe” Tetyana Karpenko-Duebbers interviewed one of Luxembourg’s leading governance and company law experts and legal adviser Monique Bachner. Tetyana Karpenko-Duebbers: Good Morning, Monique. Actually the new regulation makes life for businesses much more complicated, doesn't it? Monique Bachner: Internally for the companies – yes, but many will have less external notifications, forms to fill in, they do not need to pre-submit to their data commissions. But internally – yes, there will be many more obligations.
Should my small bakery around the corner comply with GDPR?Tetyana Karpenko-Duebbers: Even our small bakery around the corner, which collects from time to time data (they write down people's names and email addresses to preorder Easter cakes), will also fall in the scope of the regulation.... Monique Bachner: Yes, but they actually would already have fallen in the scope of the the first EU data protection Directive from the late-90s and which was implemented in Luxembourg in 2002. The change is that small companies were often not fully aware of the scope of data protection regulations before. Tetyana Karpenko-Duebbers: Now they seem to know. Monique Bachner: As I said, before they were also responsible. Most would have needed to register with the Data Protection office and define what types of data processing they were doing. And many of these small businesses didn't do that. For them it should be easier in some ways in future because it goes away from that sort of formalism to more focusing on the overall practices. The new approach is more risk-based.
Will my competitors from outside EU have advantage over me?Tetyana Karpenko-Duebbers: That's also an interesting topic. All these pop-up windows - warnings of cookies, they can have negative impact on the conversion of a website. Usually more people will leave a website like this. So, if I am making money with my website I may have less clients. But at the same time, there are companies, which are not located in the EU, and they are my competitors. They won’t need to put all these thing on their sites, so they will have an advantage over me. Monique Bachner: The question remains: whom are these companies targeting? Facebook is incorporated in California but it doesn't mean it doesn't have to apply all of this to the EU customers. But there are grey areas - if you just have a website on the web, and EU people happen to look at it, it is hard to prove whether or not you are “targeting” them. As soon as you have EU people signing up, or your website in European languages, you should presume you need to comply. Tetyana Karpenko-Duebbers: It does not seem to be easy for EU bodies to follow all companies, whose websites are accessible from the EU. Monique Bachner: Things they may look at include the percentage of traffic, whether they are trying to advertise to a certain audience? Do they search a specific optimization, is it just really incidental. For example, using a domain name .eu, vs. the domain extension of their home country... But if they have EU customers or users, which would include Facebook, for example, then clearly they would be subject to the EU legislation regardless of whether or not they had any business or offices in the EU.
Am I responsible for the data copied from the open sources?Tetyana Karpenko-Duebbers: Hmm… And how should we deal with data from open sources? For example, for my accounting, I use addresses of my clients copied from the online telephone book. These data are open for everybody. My clients put their information themselves. So, I just go and make copy-paste. Is it treated as collecting personal data as well? Monique Bachner: It is. There may be an implied consent as they are providing this personal data, but you are still processing it. Consent requirements are higher under the new rules, so you should consider adding a note on the page where they input information where you explain the data collection clearly and have them tick a consent opt-in box. Tetyana Karpenko-Duebbers: Right, this is an important point. Monique Bachner: It will depend on what you're using it for. It is similar if you get a business card at a conference. There is usually an implied consent that you can process the data to put in your address book. But the context might dictate whether or not it is also reasonable to put it into your customer relationship management system, and add comments and notes. Companies should review how they currently ask for – and document - consent.
How pseudonymization of data can help?Tetyana Karpenko-Duebbers: And when we are speaking about pseudonymization of data, could it be of help for companies? For example, if someone signed up for my newsletter, but I don't see the data, I see only pseudonyms. This is often used in science and scientific works because you are not allowed to use any personal data. The data are automatically pseudonymized or anonymized. Monique Bachner: That definitely helps. Because we speak of data that is sufficient to identify a person. If there's no readily identifiable person that you could point to as a result of the data, that would help a lot. This is where some blockchain identity-related initiatives might help. They want to split people's identity so that you're never really producing all of your identity at once and you can produce limited amounts of identity data, restricted to that which is relevant for the use that's required. So I think this this is a really interesting area for GDPR compliance as well. It's the whole digital identity development. Tetyana Karpenko-Duebbers: This is also a very interesting point: which data makes a person identifiable. In the GDPR, as far as I understand, even names and surnames are treated as data which make persons identifiable. Monique Bachner: Yes - if you have someone's name, you can usually identify them. Tetyana Karpenko-Duebbers: Just by the name? I thought, it is always a set of data. Because just by the name it's not possible to identify anybody. There are a lot of people with the same name. Monique Bachner: Well, that might depend on how unusual the name is. With John Smith, you'd probably more difficulty identifying without any additional data points. But there are other people who've got very unusual names and just with their name they'll be identifiable. Tetyana Karpenko-Duebbers: Thank you very much for your time and for the interview!
And here a brief summary of what a business should do under the new General Data Protection Regulation (GDPR)
- create a personal data inventory
- ensure maximum privacy for its clients and employees
- be able to provide under request of a person all the data collected about this person
- be able to delete personal data on the request of the person concerned (if people would like exercise their right to be forgotten)
- foresee a data breach prevention and incident plan
- report if the data is stolen, or there is any breach, incidents must be reported without undue delay, and where feasible within 72 hours.
- make sure that all the personal data is collected under consent of the persons concerned (and pay extra attention regarding minors)
- make sure that clients and employees give their consent for processing of their personal data
- consider whether you need to appoint a data protection officer