At around 90 pages long, the EU’s recently-begun privacy regulation isn’t very complicated, but it has still sparked confusion among many US-based businesses.
This regulation—commonly known as GDPR, redefines concepts like consent, personal data, data processing, and security breaches, which often conflict with how these terms and principles were traditionally defined in the US.
To gain some clarity, we consulted experts in the field—renowned employment firm Jackson Lewis’ Joseph Lazzarotti, Jason Gavejian, and Mary Costigan, in addition to EVERFI’s own Preston Clark.
Under the GDPR, consent must be specific, informed, and unambiguous.
User consent practices in the US are comparatively lax. Website privacy statements, for instance, rely on implied consent—visitors are presumed to agree to the statement—even when half of polled Americans don’t know they exist—let alone regularly read them in full.
That’s not the same in the GDPR, according to Joseph Lazzarotti, Principal at employment law firm, Jackson Lewis.
“In GDPR, consent is something that’s really a function of wanting the individual to have control over their data,” he said. “As well as having a real choice as to whether they can grant that consent or not.”
Granting users greater control, though, carries with it greater responsibilities for international businesses. Under GDPR, consent must be:
- Specific: Consent is required to approve each type of data to be collected, and for each intended purpose the company hopes to use the data for.
- Informed: Users need to be told how the data will be used, and that they have the right to revoke their consent (and they can’t be discouraged to do so). Additionally, consent is required if data is to be traded outside the EU.
- Unambiguous: Users’ consent cannot be implied (like with most privacy statements); instead, users need to take action to acknowledge consent—an opt-in checkbox will suffice. Also, the user needs dedicated space to acknowledge, consent can’t be buried in a long agreement page.
However, remember that being granted permission to use data doesn’t mean it’s yours to use as you see fit. You’ll still need to observe the GDPR’s guidelines for fairness, proportionality, and intended use.
Security breaches are defined by their relationship to user data.
Most people imagine security breaches as the online equivalent of a bank heist, only replace fully-stuffed sacks of money with data, and the vault with white text on a black monitor.
The GDPR plays by different rules, though. The EU legislation essentially defines it as a security breach that leads to a breach of personal data. The GDPR further delineates breaches into the following three categories:
- Confidentially: A breach that leads to the unauthorized disclosure of, or access to, personal data.
- Integrity: Alteration, partial, or complete loss of data. Often occurs in accidents or system crashes.
- Availability: A loss of access to, or control of, personal data.
Regardless of the kind of breach, you’re required to notify the user if there’s “high risk” to the rights and freedoms of that individual.
What does that mean?
Discrimination, identity theft, financial loss, damage to reputation—otherwise referred to as physical, material or nonmaterial damage. You’re required to notify users “without undue delay (no specific timeline is established),” and advise your supervisory authority within 72 hours. We recommend creating a defined process to make rapid responses feasible, as failing to comply with the GDPR’s regulations may result in a roughly $2.2 million fine, or precisely four percent of “annual global turnover” from the year before.
Personal data can be considered such if it merely identifies a user’s private life indirectly.
Previously vague, the GDPR has lent a (slightly) more narrow definition to the term.
Any information related to an identified, or identifiable, natural person.
Still confused? OK, it’s still pretty vague.
To break it down further, it’s any information that—directly or indirectly—identifies a user’s personal or private life. Here are some examples:
- ID numbers
- Location data
- Online identifier
- Any data revealing physical, social, psychological, genetic, economic, mental, and cultural characteristics
Also note that there’s a special category of data for extra sensitive data, aptly called special categories of data by the GDPR regulation.
You can think of this special categories data as especially personal data, like race and ethnic origin, biometric information, political affiliation, details of sexuality, union membership, and health information.
If you’re based in the US, you probably collect a lot of what the GDPR would consider personal data.
“Processing” data means doing just about anything with it.
As explained above, users need to consent to the processing of their personal data, and the use for which it’s processed.
And while you may not have thought to ask how the GDPR defines the processing of data, it turns out it’s also particularly wider than you might expect.
In the GDPR, “processing data” is defined as: any operation or set of operations performed on personal data. This means data collection, organization, storage, structuring, alteration, retrieval, consultation, use, restricting, disseminating (“or otherwise making available”), or erasing.
What’s more, this includes digital and paper data.
Additionally, processing is legal only if it’s done for specified reasons, such as: the data owner consents; processing is necessary for the performance of a contract, the “vital interests” of a user, or the legitimate interest of the controller, like: preventing fraud, the performance of a contract, delivering products, or compliance with legal or tax obligations.
Above all, the GDPR is about giving people the ability to choose.
The GDPR’s main aim is to give EU residents greater control over how their data is collected and processed. Once these foundational differences between US and EU policy are understood, you’re well on your way to comprehending the throughline that weaves between its many complexities.