Understanding the GDPR requirements

Understanding and adhering to the requirements of the GDPR is critical not only for companies who do business in the European Union, but also for those who want to anticipate similar regulations that could be enacted elsewhere.

Why then did the European Union draft the GDPR? What are its requirements? And how can businesses that offer online products and services comply with it?

Why did the European Union adopt the GDPR?

The GDPR replaces a legislative framework that dates back several decades and was designed to strike a balance between privacy and on-line trade. This balance was undermined, however, by the advent of two new realities that lawmakers did not anticipate. First, the emergence of giant companies whose business model is predicated on the very use and sale of personal data, such as Amazon, Facebook and Google. Second, the proliferation of smartphones and other connected devices, which facilitate the collection of phenomenal amounts of information on individuals, often without their knowledge.

Meant to restore a better balance between the interests of companies and those of individuals, the GDPR is based on principles adopted in 1980 by the Organization for Economic Co-operation and Development: limits to data collection, informed consent, transparency, and privacy protection. Its main purpose is to give individuals explicit control over how their personal data is collected, processed and stored by the companies with which they deal.

This control proves effective because the GDPR clearly sets out the rules and responsibilities for companies – and has the teeth to enforce them. In the event of a data leak or unlawful use of personal data, penalties can reach 20 million euros or 4% of the previous year’s worldwide income. This gets companies’ attention!

The GDPR’s main principle

The GDPR’s guiding principle is to give stakeholders all the necessary information to make smart choices when it comes to the handling of personal data. Companies that develop or operate web or mobile applications are required to provide this information transparently and to abide by individuals’ decisions. In practice, these principles translate to the following obligations:

• Stakeholders must be provided with complete and easy-to-understand information about their rights, the purpose for which their data is collected and how it will be handled;
• Personal data must be collected with the consent of the individual and for a legal and necessary reason;
• The individual must be able to give informed consent, for him or herself or for a child under 16 years of age under their guardianship;
• This consent can be qualified, by denying the company the right to collect geolocation data for example, or by accepting only part of the cookies that the company would like to cache on the subject’s device;
• This consent can be withdrawn at any time;
• The data collected must be limited to what is strictly necessary to perform the operation to which the individual has consented;
• The data cannot be kept longer than strictly necessary to perform the operation to which the individual has consented;
• Stakeholders can access their data at any time, obtain a copy that is easily readable and demand that it be corrected if necessary;
• Individuals have “the right to be forgotten” and can therefore demand that their data be erased;
• Individuals have the right to object to their data being transferred to a third party for targeted advertising purposes and, with some exceptions, for artificial intelligence modeling purposes;
• If an individual believes that their rights have been breached, they can appeal to regulatory authorities or to the courts.

Companies that handle data are responsible for its security from initial collection, whether the processing takes place in-house or by a subcontractor established in the European Union or elsewhere. They must disclose any security breach to the competent authorities and to the persons concerned, usually within 72 hours. Finally, they must keep a log of data processing operations and submit it for inspection by the competent authorities on demand.

Why should Canadian companies care about the GDPR?

The GDPR concerns not only European companies, but also all those that collect, process or store the personal data of European Union residents — this means all companies that have an online presence or whose services are available, directly or indirectly, in the European Union.

For example, if your business has access to information about residents of the European Union collected by one of your clients or suppliers, it will be required to process that data in accordance with the GDPR. This extends to passively collecting information about European visitors to your website, for the purpose of studying customer behavior, for example. This could even include the collection of data provided by Canadian users while in the EU.

Complying with the GDPR

Most experts see GDPR compliance as a matter of ethics built into the core of business operations, rather than as a checklist or an end-of-the-line fix. Privacy protection must be incorporated into all stages of the design, development and launch of online products and services. For example:

• Before releasing a new product, companies must study in detail the type of data necessary for its operation, and the flow of this data within their organization and among their subcontractors, from initial collection to final deletion;
• Product design and development teams, IT security and human resources managers, in-house legal counsel, senior management and marketing teams will need to become familiar with the GDPR principles and implement them in their respective areas;
• Companies will need to determine the risks to the security of the people concerned;
• The principle of "privacy by default" should apply everywhere and at all stages of the product life cycle;
• Companies’ privacy policies should clearly explain the reasons why they wish to collect and process data and give individuals the choice of granting customized permission;
• Applications and websites must continue to function even if subjects refuse to allow data collection or request its subsequent deletion;
• Companies will need to set up formal agreements with all subcontractors who handle customer data to ensure that they observe the GDPR, especially when this data leaves the European Union;
• Some companies will need to designate a person responsible for the protection of personal data, who will advise the organization on confidentiality matters and who will be in direct and regular contact with the regulatory authorities when necessary;
• Companies should put procedures in place that allow them to detect security and other confidentiality breaches as quickly as possible and notify the relevant authorities within 72 hours.
• Companies should set up a continuous improvement process for confidentiality and privacy.

The GDPR sets out principles rather than specific rules because best practices will vary between companies and industries. Some organizations, for example, have an added responsibility due to the sensitivity of the data they handle. This is particularly the case for those who process genetic or biometric data or the data of children under the age of 16.

What to expect

Experts agree that strengthened privacy protection, embodied by the GDPR, is here to stay. As of this writing, the framework imposed by the GDPR is the strictest anywhere, and it seems unlikely that other authorities will take it even further. A company whose mobile apps, websites and other online services comply with the GDPR will probably be able to operate in most countries, while meeting the requirements that will soon frame the legislative guidelines of Quebec’s Bill 64.