Fines of up to €20 million will be imposed on businesses if they will not be able to comply with the new General Data Protection Regulation or GDPR. Almost every company will have to comply with this EU legislation entering into force on the 25th of May 2018, even if it has only offline activities.
To learn more about different aspects and consequences of the General Data Protection Regulation, CEO of “The Loupe” Tetyana Karpenko-Duebbers interviewed one of Luxembourg’s leading governance and company law experts and legal adviser Monique Bachner.
Tetyana Karpenko-Duebbers: Good Morning, Monique. Actually the new regulation makes life for businesses much more complicated, doesn't it?
Monique Bachner: Internally for the companies – yes, but many will have less external notifications, forms to fill in, they do not need to pre-submit to their data commissions. But internally – yes, there will be many more obligations.
Should my small bakery around the corner comply with GDPR?
Tetyana Karpenko-Duebbers: Even our small bakery around the corner, which collects from time to time data (they write down people's names and email addresses to preorder Easter cakes), will also fall in the scope of the regulation.... Monique Bachner: Yes, but they actually would already have fallen in the scope of the the first EU data protection Directive from the late-90s and which was implemented in Luxembourg in 2002. The change is that small companies were often not fully aware of the scope of data protection regulations before. Tetyana Karpenko-Duebbers: Now they seem to know. Monique Bachner: As I said, before they were also responsible. Most would have needed to register with the Data Protection office and define what types of data processing they were doing. And many of these small businesses didn't do that. For them it should be easier in some ways in future because it goes away from that sort of formalism to more focusing on the overall practices. The new approach is more risk-based.Who is responsible for my newsletter and what to do with my website?
Tetyana Karpenko-Duebbers: For businesses that do not even have any online activities, like our bakery, for example, it can be a hard task. But, let us take another example. An example of a business that has an online presence. If I have an external provider for sending newsletters via email, is it me now, who is responsible for the data protection? Though it is the newsletter sending company who actually collect and process data, not me? Monique Bachner: Yes. But again that was mostly the same before. It's not a fundamental change. Tetyana Karpenko-Duebbers: Aha, okay, that's interesting. Monique Bachner: For example, certain common online services such as Dropbox have in their Terms and Conditions that they can use the data that you put there. So, in theory they could access it, and use it, and read it. They are unlikely to be bothered to do that, but anyone with confidentiality obligations or sensitive information must be careful where they store their data - to make sure the data you collect and the way you use it, including choosing your service providers, is compliant with the legislation. Tetyana Karpenko-Duebbers: Now it's more clear for me what existed before, but people were often not as aware. Monique Bachner: Whilst larger companies were aware of their data protection obligations, and paid attention especially to data exports, smaller companies often just didn't understand the full implications of the rules. On a website, they would often have a little section about data privacy, but they wouldn't always have the whole governance mechanisms behind it, following up on the full extent of what it meant, how to monitor that over time, how to ensure the right to be forgotten can be respected, and so on. The right to be forgotten, for example, already exists in EU, however the new GPDR rules will strengthen further the rights of data subjects. Tetyana Karpenko-Duebbers: In the GDPR, there is an article about companies under 250 employees. If there is less than 250 people employed, they don’t have the same level of obligations – unless, for example, they collect data regularly. But this "collect data regularly" is a very ambiguous term. I suppose, if you have on your website a “contact” or "subscribe to our newsletter" form, this already could be counted as regular collection of data. Am I right? Monique Bachner: Maybe, depending on how many people sign up, but you should also assess whether it would be considered a core activity. If you have a website, cookies are an obvious point, because cookies are collecting a lot of information and do so on a large scale and systematically. Companies should also re-think what data they actually need – if they collect sensitive data they should reflect on whether they really need it. They should not collect data just because they can, but only what they need. Tetyana Karpenko-Duebbers: So in this case you probably need to ask visitors for consent for using cookies and provide an explanatory statement about how the data will be used for any sign-up or contact form.Will my competitors from outside EU have advantage over me?
Tetyana Karpenko-Duebbers: That's also an interesting topic. All these pop-up windows - warnings of cookies, they can have negative impact on the conversion of a website. Usually more people will leave a website like this. So, if I am making money with my website I may have less clients. But at the same time, there are companies, which are not located in the EU, and they are my competitors. They won’t need to put all these thing on their sites, so they will have an advantage over me. Monique Bachner: The question remains: whom are these companies targeting? Facebook is incorporated in California but it doesn't mean it doesn't have to apply all of this to the EU customers. But there are grey areas - if you just have a website on the web, and EU people happen to look at it, it is hard to prove whether or not you are “targeting” them. As soon as you have EU people signing up, or your website in European languages, you should presume you need to comply. Tetyana Karpenko-Duebbers: It does not seem to be easy for EU bodies to follow all companies, whose websites are accessible from the EU. Monique Bachner: Things they may look at include the percentage of traffic, whether they are trying to advertise to a certain audience? Do they search a specific optimization, is it just really incidental. For example, using a domain name .eu, vs. the domain extension of their home country... But if they have EU customers or users, which would include Facebook, for example, then clearly they would be subject to the EU legislation regardless of whether or not they had any business or offices in the EU.Am I responsible for the data copied from the open sources?
Tetyana Karpenko-Duebbers: Hmm… And how should we deal with data from open sources? For example, for my accounting, I use addresses of my clients copied from the online telephone book. These data are open for everybody. My clients put their information themselves. So, I just go and make copy-paste. Is it treated as collecting personal data as well? Monique Bachner: It is. There may be an implied consent as they are providing this personal data, but you are still processing it. Consent requirements are higher under the new rules, so you should consider adding a note on the page where they input information where you explain the data collection clearly and have them tick a consent opt-in box. Tetyana Karpenko-Duebbers: Right, this is an important point. Monique Bachner: It will depend on what you're using it for. It is similar if you get a business card at a conference. There is usually an implied consent that you can process the data to put in your address book. But the context might dictate whether or not it is also reasonable to put it into your customer relationship management system, and add comments and notes. Companies should review how they currently ask for – and document - consent.How pseudonymization of data can help?
Tetyana Karpenko-Duebbers: And when we are speaking about pseudonymization of data, could it be of help for companies? For example, if someone signed up for my newsletter, but I don't see the data, I see only pseudonyms. This is often used in science and scientific works because you are not allowed to use any personal data. The data are automatically pseudonymized or anonymized. Monique Bachner: That definitely helps. Because we speak of data that is sufficient to identify a person. If there's no readily identifiable person that you could point to as a result of the data, that would help a lot. This is where some blockchain identity-related initiatives might help. They want to split people's identity so that you're never really producing all of your identity at once and you can produce limited amounts of identity data, restricted to that which is relevant for the use that's required. So I think this this is a really interesting area for GDPR compliance as well. It's the whole digital identity development. Tetyana Karpenko-Duebbers: This is also a very interesting point: which data makes a person identifiable. In the GDPR, as far as I understand, even names and surnames are treated as data which make persons identifiable. Monique Bachner: Yes - if you have someone's name, you can usually identify them. Tetyana Karpenko-Duebbers: Just by the name? I thought, it is always a set of data. Because just by the name it's not possible to identify anybody. There are a lot of people with the same name. Monique Bachner: Well, that might depend on how unusual the name is. With John Smith, you'd probably more difficulty identifying without any additional data points. But there are other people who've got very unusual names and just with their name they'll be identifiable. Tetyana Karpenko-Duebbers: Thank you very much for your time and for the interview!And here a brief summary of what a business should do under the new General Data Protection Regulation (GDPR)
- create a personal data inventory
- ensure maximum privacy for its clients and employees
- be able to provide under request of a person all the data collected about this person
- be able to delete personal data on the request of the person concerned (if people would like exercise their right to be forgotten)
- foresee a data breach prevention and incident plan
- report if the data is stolen, or there is any breach, incidents must be reported without undue delay, and where feasible within 72 hours.
- make sure that all the personal data is collected under consent of the persons concerned (and pay extra attention regarding minors)
- make sure that clients and employees give their consent for processing of their personal data
- consider whether you need to appoint a data protection officer