General Data Protection Regulation: new laws from 2018

On 25 May 2018, the new EU General Data Protection Regulation (GDPR) came into force. For approximately five years now, EU bodies were working on this pan-European data protection reform. Until the 25th of May, the 1995 Data Protection Directive (Directive 95/46/EC) was still in force, but the technological changes of recent decades made it necessary to revise data protection legislation; after all, the Internet was still in its infancy in 1995. These days, EU-wide data protection has to deal with big data, industry 4.0, robotics, and artificial intelligence, meaning that there was an urgent need for a new regulation. May 2018 saw the launch of these measures.

Above all, the GDPR serves one purpose: the uniform regulation of data throughout Europe. This raises two questions for companies: What are the new regulations? And what do companies and website operators have to consider? As soon as the regulation comes into force on 25 May, a number of changes had to be made to the online trade and employee data protection in companies. Therefore, if you have not yet managed to adapt to the European General Data Protection Regulation, it is high time you do so. Below we provide a summary of the new legal situation, and provide a GDPR checklist outlining which measures you should’ve taken already.

Not a directive, but regulation

When it comes to European bureaucracy, laws can take a long time – even after they have officially come into play. After long debates in parliament in Brussels, the 28 member states will often be granted generous transitional periods to incorporate the new EU laws into their national legislation. A lot of time can pass before the pressure of implementation reaches the level of individual companies.

But in addition to directives, there is a second type of EU law: regulations. They offer almost no wiggle room when it comes to content and time period. They are immediately and uniformly legally binding for all member states – this includes the business practice of every SME. This is also the case with the GDPR: this is not a directive, but a regulation.

In May 2016, the EU's General Data Protection Regulation came into force with a transitional period of two years – and on 25 May 2018, it fully came into play. From this date onwards, it has been the official data protection act in all EU states, and one which is superior to national legislation. This means no more transition periods. When the regulation came into effect on 25 May 2018, all companies and public authorities working with personal data were required, without delay, to implement the EU's new provisions on data protection.

The urgency surrounding the GDPR was apparently not known to all companies: A representative survey conducted by the digital association Bitkom of more than 500 companies showed that one in three companies had not yet dealt with the general data protection ordinance. It was only a stark minority of 19 percent who assumed that the measures can be implemented on time. Many companies across the continent are now facing possible fines amounting to millions of euros.

Ignorance, however, is not the only reason for some companies not being sufficiently prepared. Two of the biggest hurdles are legal uncertainty, as well as not knowing how much effort it will take to implement the GDPR. Many businesses and companies think that needing to obtain a concrete agreement before exchanging personal data unnecessarily complicated, and the need to be able to prove this agreement makes it even more so. Even just keeping hold of a business card could have legal complications, when the GDPR is seen in the strictest light.

Quote

“People burying their head in the sand will soon be violating the law and risk fines at the expense of their company.”

- Susanne Dehmel, Member of the Executive Board for Law and Security at Bitkom (Source: www.bitkom.org/EN/List-and-detailpages/Press/pressinfo-detailpage-EN_17936.html)

Now many companies are facing the potential for heavy fines. Up to 20 million euros (4% of worldwide sales in the last financial year) is the potential fee which may be charged as a punitive measure. And don’t be fooled by the fact that this is ‘just’ an EU law. It will most likely affect your U.S. based business too – if you collect personal data or information from anyone residing or browsing in an EU country, your company will need to comply with the new regulations of the GDPR.

Amendments: opening clauses

The primary objective of the GDPR is the harmonization of European data protection. Whereas the 1995 Data Protection Directive was implemented differently in each EU country, the new regulation offers less scope for action on an individual national level.

A second primary aspect addressed by the GDPR relates to the serious technological changes which have occurred over the past 25 years – as well as of course the technical developments still to come. As we cannot forget, many of the challenges of data protection still lie ahead for us. For example, the collection of biometric data from employees is mandatory for certain work with intelligent machines. If a company is sensitive to such data, this is not in itself a problem. However, if this information is first of all with the employer, there is also the temptation to use it for other purposes – such as performance monitoring. The new EU GDPR will also react to developments of this kind.

Tip

The European General Data Protection Regulation can be found online here on the Europa.eu website.

Aims: European uniformity when it comes to data protection

The primary objective of the GDPR is the harmonization of European data protection. Whereas the 1995 Data Protection Directive was implemented differently in each EU country, the new regulation offers less scope for action on an individual national level.

A second primary aspect addressed by the GDPR relates to the serious technological changes which have occurred over the past 25 years – as well as of course the technical developments still to come. As we cannot forget, many of the challenges of data protection still lie ahead for us. For example, the collection of biometric data from employees is mandatory for certain work with intelligent machines. If a company is sensitive to such data, this is not in itself a problem. However, if this information is first of all with the employer, there is also the temptation to use it for other purposes – such as performance monitoring. The new EU GDPR will also react to developments of this kind.

Content: developing proven principles

Any summary of the General Data Protection Regulation must first address the changes related to personal data. This is where the most significant changes are taking place as a result of the EU GDPR.

For example, the accountability of companies has been extended. There are now more comprehensive obligations pertaining to documentation of data and proving what data a company actually collects. These obligations also cover the purpose for which it uses the data and how it is processed. Above all, the GDPR means more work when it comes to documentation. Companies who already value data protection and have kept a register of data processing procedures have it much easier with the implementation of the regulation.

But all in all, the GDPR does not feature any fundamental reorientation of data protection. Instead it is the case that the already present data protection principles remain valid and will be continued by the EU General Data Protection Regulation. These form the basis for the new regulations, and will be more clearly formulated and expanded. The most important principles are as follows:

  1. Ban failing authorization: This means that any processing of personal data is prohibited unless specifically permitted. This has been the case so far and is therefore not really uncontroversial. At the end of the day, not all data is of equal importance. However, according to the GDPR, the prohibition principle applies indiscriminately to all personal data.
  2. Appropriation: Companies may only collect and process data for specific purposes. To this end, the purposes must be clearly outlined at the beginning of the survey and the future use of the data must be documented. For example, data that a company has collected relating to the fulfillment of a contract and rightly stores, may not then be used for advertising purposes. This is another, completely separate, purpose which requires special justification. Subsequent changes of purpose are only permissible under certain circumstances.
  3. Data minimization: The principle of data minimization requires companies to collect as little data as possible. The general rule is: as little as possible, as much as is necessary. You are not permitted to collect more than is necessary for the purpose of the survey in question. Thus, this principle prohibits any "blind" data collection for unspecified future purposes.
  4. Transparency: Data processing should always be comprehensible to those affected. On the one hand this requires understandable data protection declarations, and on the other hand users enjoy extensive rights with the innovations of the GDPR. As in the past, companies are required to provide information on what data they have and how they use it.
  5. Confidentiality: Companies need to ensure that they technically and organizationally protect the personal data of their customers – be it against unauthorized processing, alteration, theft, and/or destruction of data. This explicitly stated obligation to take technical protective measures is new. Nevertheless, these measures are not exactly and precisely outlined in the General Data Protection Regulation and therefore are open for interpretation. In the case of a data theft, it will depend on whether the technical and organizational protective measures were appropriate to the risk as well as the type of data being stored.

Who’s affected? Businesses and data protection officers

All in all it must be said that the GDPR is good news for every consumer and all those affected by data processing. This is due to the fact that they are protected by the GDPR. In addition, GDPR regulations also affect the rights of employees.

These rules are relevant for all companies with employees. This then means that numerous companies will be doubly affected, as it concerns the privacy of employees (employment data protection), as well as those of customers, suppliers, and website visitors.

Of course, the GDPR is of particular relevance for those employed as data protection officers. The new regulations will considerably increase the number of these throughout the continent. In the future, all public authorities and all companies, whose core activity relates to the handling of personal data, will have to appoint a company-wide data protection officer. Even if a business' core activity is not related to data processing, if it is the case that at least ten people are constantly engaged in the automated processing of personal data on the premises, then a data protection officer must be appointed. This will most likely be the case for many medium-sized companies. Companies affected by this scheme must have taken the appropriate measures already.

Even for data protection officers who are already employed by a company, the GDPR represents a major change. This is because their role in the company is fundamentally changing. If it is the case that the data protection officer has been working towards data protection conformity, in the future he or she will be responsible for monitoring the implemented measures. This increases their range of responsibility and subsequently increases their potential for liability.

Overall, the new regulations mean quite an increase in work for data protection officers. They have to familiarize themselves in detail with the new legal situation. However, the new laws also have positive aspects for them. Without a doubt their expertise will be in great demand and, as well as this, their position in the company will be enhanced due to the increasing number of tasks. Article 39 of the GDPR actually makes reference to the tasks of a data protection officer. Some of these include informing and advising in relation to the GDPR as well as other data laws, monitoring GDPR compliance, advising on the impact of the regulations, and also being available for any enquiries. 

The following is a summary of the General Data Protection Regulations, focusing particularly on the innovations for website operators and companies.

Note

Are you a 1&1 IONOS customer? Here is a checklist specifically put together for 1&1 IONOS customers, listing all the information website owners need to look out for to ensure that their website complies with the new GDPR. 

Effects on companies

Even if there is no fundamental upheaval of data protection, the EU GDPR still brings many changes into focus. It is imperative that companies take these alterations into account and, as early as the conceptual design phase, integrate them into their workflows that involve people (Privacy by Design principle). Otherwise they will end up being in violation of European law. Below you will find some of the most important new regulations that companies, especially those in the area of online commerce, need to comply with.

General data security for businesses

  • Privacy Impact Assessment (PIA): Companies are obliged to carry out risk assessments. They are also required to specify what safeguards are in place for minimizing risks. This rule becomes particularly relevant when a company is working with cloud computing. Cloud computing is something which often involves handling large amounts of personal data. Companies who store data relating to individuals’ data are likely to be hit even harder, as they are considered to be particularly sensitive and dissemination of the data can be extremely damaging for those involved.
  • Employee data: Something which is always tested is the way in which a company processes its employees' data. Therefore the regulations in the GDPR relevant to this aspect also concern human resources, something which must be included in the changes.
  • Data protection officers: For many companies these days a data protection officer has become mandatory. These individuals monitor the individually-developed data protection strategy and GDPR conformity. This does not only apply to companies who work with personal data on a large scale. However, every company that has more than 10 people regularly dealing with personal data must appoint a data protection officer in the future.
  • Reporting requirements: The new EU GDPR guidelines on how to deal with breakdowns are considerably stricter than any previous regulations. Security incidents need to be reported within 72 hours of becoming aware of them. If in doubt you should always report these to the affected persons as well as the relevant authorities.
  • Responsibility and fines: In future, it will be much easier for companies to be held responsible for violations relating to data they have collected. Punishments for this can include heavy fines.

Security of personal data

  • Mandatory documentation: A major focus of the GDPR is on the accountability of companies. Unlike in the past, companies are now obliged to document their data protection compliance by means of in-house documentation. At all times they need to be able to inform the authorities about all of the following: which data is stored, for which purpose it is stored, how the data is, as well as when it is deleted by the company. If required, the company should be able to provide a list of all this relevant information.
  • Privacy by Design: The Privacy by Design principle means that, as early as by the technical structuring of their business processes, companies have to take data protection into account. It is not permitted to implement data protection measures retrospectively (i.e. see them being of secondary importance) but instead are required to integrate them into the work process during the development phase. Both products and processes should therefore be designed in such a way that they require as little personal data as possible.
  • Privacy by Default: This particular provision of the GDPR stipulates that, in principle, the data protection variant that is most friendly must be implemented in advance. This saves consumers from having to struggle through complex technical settings when trying to impose restrictions on data processing.
  • Permission (agreement, works agreement): In the future it will be the case that individuals will still have to explicitly agree to the use of their personal data. In addition, the consent of the employee or consumer is only valid for the stated purpose. Additionally, the declaration of consent must be formulated in a way that is comprehensible and should also be easily revocable. Revoking the agreement needs to be as easy for the customer as the original consent. Under the EU GDPR, the requirements for effective consent have increased. A gross imbalance between the parties involved can lead to both the voluntary nature of the contract being void, as well as bring about the conclusion of the contract.
  • Deleting data: Personal data may only be stored for as long as it is necessary for its intended purpose. If the authorization expires (e.g., if the consent is revoked or the contract is fulfilled), then the data must be deleted.
  • Right of access and cancellation: EU citizens have the right, on request, to know which of their data is held by a company and how it is being used. In addition, consumers can also request companies to delete their data. Thus the so-called ‘Right to be forgotten’ is part of the law.

Effects on website operators

The GDPR contains hardly any rules which are specific to the area of online trading. Instead, it formulates general principles of data protection, the sub-areas of which are regulated by other laws and regulations. Nevertheless, the abstract standards of the General Data Protection Regulation also feature some innovations relating to online trading. More information on this can be found in the following two sections.

Things stay the same – for the moment at least!

First and foremost, one very important thing to remember is that, in addition to the aforementioned regulations for companies, the GDPR initially means relatively few changes when it comes to online trading. The core themes for website operators – cookies, user tracking, spam, and direct marketingare not expected to be subject to change until 2019 at the earliest.

At the moment, website operators are subject to the general principles of the Data Protection Directive 95/46/EC as well as their national media acts. The latter regulates the special legal situation for media, especially online content. Since May 2018, the GDPR will take precedence over national legislation. In practice what this means is something which could prove controversial among lawyers. In any case, the general regulations will also apply to websites, big data, as well as social media. Any future use of cookies, tracking tools, and targeting measures will also have to comply with the GDPR.

However, in many ways the GDPR is just a transitional solution. Originally, together with the General Data Protection Regulation, another new regulation on data protection was set to come into force, the EU's E-Privacy Regulation. However, on 23 October 2017 the EU parliament decided that this timetable could hardly be stuck to. Further information on this can be found on the official EU website. Therefore it is too early at the moment to give any serious thought to the e-privacy regulation – it is unlikely to take effect before 2019. Nevertheless, website operators and online retailers should definitely keep an eye on the e-privacy regulation. In contrast to the GDPR, which regulates principles of data protection law, the e-privacy regulation will relate to a very special area: the protection of privacy in everyday digital life. This is where website operators are expecting further regulations.

Changes are a-coming

But what actually changed in May 2018? Here are the most important changes in the EU's GDPR for website operators:

  1. Obligation to possess comprehensive mandatory documentation of the GDPR
  2. Complex consent forms
  3. The principles of Privacy by Design and Privacy by Default
  4. Extensive information rights and the right to be deleted
  5. The right to data portability
  6. More substantial information requirements (e.g. a website’s data protection declaration)
  7. No linking of consents

A number of points have already been explained in previous sections. The two themes of a data protection declaration and coupling of consent forms are described below. These mainly concern website operators.

Fact

There should be a strict difference between data protection consent and data protection declaration. The user's consent – required for any data processing that is not permitted by a legal norm – refers to the active confirmation by a user that he or she agrees with the company's data protection conditions. The data protection declaration is within the text in which a company presents its data protection measures to its customers. It is something which is obligatory on every website.

For website operators, the most important new feature of the GDPR is the privacy policy. Art. 13 Par. 2 of the GDPR contains a detailed catalogue of information which must be contained within a data protection declaration. The overall form of the data protection declaration is also more clearly regulated in the GDPR. It must be written in comprehensible language and understandable when it comes to the content. The General Data Protection Regulation attaches great importance to transparency.

Quote

“The controller shall take appropriate measures to provide any information […] relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language” (Excerpts highlighted by author)

- Art. 12 Par. 1 of the GDPR ‘Transparent information, communication and modalities for the exercise of the rights of the data subject’ (Source: www.privacy-regulation.eu/en/article-12-transparent-information-communication-and-modalities-for-the-exercise-of-the-rights-of-the-data-subject-GDPR.htm)

On the other hand, experts see the prohibition of linking consent forms as the greatest restriction imposed on the network industry by the GDPR. It means that a web page operator may not subject its potential customers to the future release of data, which is not necessary for the current service. For example, if you are required to sign up for an online newsletter in order to conclude a contract, this will now be a violation of EU law. The most important thing is that there is nothing forced, and such measures are always voluntary. Up until now, many linked consents are unlikely to have been voluntary. Therefore any consent obtained in this way is invalid.

Quote

“When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

- Art. 7 Par. 4 of the GDPR in relation to ‘Conditions for consent‘ (Source: www.privacy-regulation.eu/en/article-7-conditions-for-consent-GDPR.htm)

Finally, it is imperative that you observe the changes to documentation requirements, consent bases, storage, information rights, and the right to deletion. It should also be remembered that other new regulations may also affect website operators and companies.

GDPR checklist for businesses and website operators

Even if you met the deadline for the new European General Data Protection Regulation, it is important that you are aware that the measures required vary from company to company. This means you can check what you have done, and update as necessary. There are a number of precautions that every company should take into account. These precautions have been summarized here in a GDPR checklist for you.

✔ Establish documentation processes for handling personal data.
✔ Set up a list of processing operations.
✔ Establish communication methods for any customer inquiries on data protection.
✔ Check whether you need to appoint a data protection officer.
✔ Adapt your website's privacy policy to the new regulations.
✔ Consult with the head of your technical department and the data protection officer to determine whether the current technical measures for data protection are sufficient. Under certain circumstances, further measures may have to be undertaken or existing measures may need to be better integrated into the IT infrastructure.
✔ All personal data collected which violates the coupling of consent rules must now be collected differently and seen as voluntarily provided data.
✔ If you have commissioned external service providers to be in charge of handling your company's personal data, you should clarify with them whether the agreements made correspond to the data protection reform. If necessary you can adjust the agreements to the new specifications. Check how you obtain the consent of your customers in your online shop and adapt the procedure to the GDPR.
✔ Stay up to date when it comes to e-privacy regulation. This will legislate how online retailers deal with analysis and tracking tools in the future.
✔ If you are at all unsure about anything, make use of relevant professional advice.

Reactions to the GDPR: praise and criticism

As is to be expected with such an extensive and wide-ranging change to an already huge and complex issue, the reaction to the new GDPR has been quite mixed. Some have welcomed its introduction, praising its comprehensiveness and transparency. Others have criticized it, noting the very high fines and strictness of some of the legislation. Below we have highlighted a few quotes from experts in the industry who had something to say about the European General Data Protection Regulation.

Quote

"The change in EU data laws is a significant breakthrough in how online organizations will engage with consumers and end users. The last 2 or 3 years have seen major changes in attitudes to how online data – such as personal information, browsing history, purchase and transaction history – is used, stored and shared.”
- Simon Moffat, Solutions Director, ForgeRock (Source: www.cbronline.com/cloud/public/5-tech-reactions-to-the-eu-data-protection-regulation-4756923/).

"This regulation is set to really shake things up forcing companies to scrutinize how they process and handle data. In particular, the ruling that they must report breaches 'that are likely to harm individuals' has the potential to expose a swathe of breaches that are currently being swept under the carpet – and the corresponding fines are likely to be keeping a few CFOs awake at night!“
- Tony Pepper, CEO, Egress Technologies (Source: www.scmagazineuk.com/breaking-news-eu-agrees-4-fines-for-breaching-data-protection-regulations/article/535600/).

"The latest agreements on EU data protection rules should raise a red flag to all components of the data supply chain. Far beyond the traditional realms of financial penalties, this latest development could threaten businesses’ viability."
- Steve Murphy, SVP, GM EMEA, Informatica (Source: www.itproportal.com/2015/12/16/new-eu-data-protection-rules-industry-reaction/)

“We regret that much of the ambition of the original data protection package was lost, due to one of the biggest lobbying campaigns in European history. However, we congratulate the European Parliament and, in particular, the successful Luxembourg Presidency of the EU last year, for saving the essence of European data protection legislation.”
- European Digital Rights (Source: edri.org/press-release-data-protection-and-passenger-name-record-package-to-be-voted-on-tomorrow/)

Effects of the GDPR on companies and consumers so far

The possible consequences of the GDPR have been the subject of heated debate for years. Since May 25th 2018, some of the positive as well as some of the negative predictions seem to have come true. Here you will find a brief overview of all past developments in connection with the GDPR that affect companies and/or consumers:

SME’s hit worst by failing to implement new regulations

Both the German digital association Bitkom, as well as “forsa Gesellschaft für Sozialforschung und statische Analysen mbH” which conducts market, opinion and social research, independently concluded that almost three quarters of German businesses alone were not prepared to implement the GDPR – the picture is unlikely to change wider across Europe. Small and medium-sized enterprises in particular currently have a lot of catching up to do. This could theoretically be reflected in their economic performance, but precise statistical findings are not yet available at this time. Digital-native companies such as Facebook, on the other hand, have apparently survived the changes unscathed thanks to a budget of millions and concentrated technical expertise and are now even using the GDPR to promote themselves. Google, for example, is currently declaring that it has spent the equivalent of “500 man-years of work” to implement the new data protection measures.

US companies are cutting their ties

Instead of orienting their own data protection guidelines to the GDPR, many US companies and news sites such as the New York Daily and Chicago Tribune are blocking users with European IP addresses, reducing the information offered or only activating it for an additional charge. However, according to the error messages that appear on many of the websites during the visit, it is currently being examined whether the services can continue to be made available to European interested parties.

Fear of the phantom "wave of warnings"

The basic data protection ordinance continues to cause confusion in many places. Although the concrete changes in the legal text are only minor, the fear of the consequences of disregarding the legal situation has increased. SMEs in particular express their fear of warnings, small bloggers and forum operators have taken their web projects off the net. However, it was found that many of these sites have only temporarily disappeared - publishers want to check their own data protection efforts in relation to the GDPR before going online again. In any case, the dreaded "wave of warnings" seems - at least for the time being - to be absent. This means that no widespread abuse of the GDPR for targeted warning fraud has yet been recorded.

Consumer inconvenience

For weeks, web users received countless e-mails from online shops and companies presenting their new data protection guidelines and asking for a new agreement to their guidelines. Many recipients might not have been interested in reading the long texts completely. But more importantly, it posed a risk to web users in falling for cybercriminals who took advantage of the chaotic conditions, and tried to collect personal customer data by the dozen. Another unexpected side effect of the new regulation are thousands of underage users of social media who suddenly can no longer log into their Instagram and Twitter accounts. Websites such as gdprhallofshame.com, meanwhile, collected the most absurd changes caused by the "GDPR panic" - including a refrigerator which asks its owner via display for their consent to the updated data protection guidelines.

Even more praise and criticism

For-and-against arguments on the GDPR continue to balance each other out. Some voices speak of unnecessary scaremongering and call the many website closures over cautious, others people expect that this may just be the beginning of a new age of data protection. There are many different implications to the new regulation, spanning from a professional level to a personal one. Regardless of personal opinion, however, seeing as the GDPR is now in action, it is essential that you wise up and ensure your website or other online presence conforms to the new regulations.

Click here for important legal disclaimers.