GDPR - Who, Why and What Needs Protection

The Rules For Determining Whether An Organization Falls Under GDPR Compliance ...

I have been asked repeatedly about the compliance requirements for the upcoming GDPR mandate and most recently at a talk I gave on the subject, I had a dozen companies saying they were confused about whether they were required to comply and if I could explain the parameters of the defining characteristics for them.

I can understand why there is confusion, as the definitions of ‘covered entity’ are not clearly explained in the regulation itself nor are the definitions of what constitutes ‘personal data’. So, I will try to explain all this here in a way that I hope will be helpful as we are now only 12 days away from the on-switch.

I think the best way to contextualize your thinking about GDPR is to wrap your mind around the intent and therefore the focus of the regulation. The General Data Protection Regulation (GDPR), also known as EU Regulation 2016/679, is all about strengthening and unifying data protection for the personal and sensitive information of all individuals (‘data subjects’) within the European Union (EU).

It isn’t about protection of an organization’s information assets, except as that protection relates to the protection of citizen or resident data privacy. It is all about protecting individual data and allowing the individual to determine whether s/he wishes that data to be used in any way that the individual may perceive might be harmful to their privacy to reputation.

While my regular readers know that I am generally opposed to any government intervention in the mechanics of capitalism, I acknowledge that the combination of accelerated permeation of social media and unstoppable greed as witnessed recently in the discovery of Facebook’s “unwittingly” sharing personal data with Cambridge Analytics, has created a sort-of unstoppable swamp monster and the only way to curtail its growth may well be government regulation.

Understanding why folks like Zuckerberg would willingly invite Washington into its bedroom is way above my pay grade, but there it is. Many songs have been written about how the most difficult chains to break are the ones we wrap around ourselves. But, now that we understand the intent of the regulation, let’s look at the rules.

First, what is the definition of personal and sensitive data? The simplest explanation is that personal data is any data that can identify a ‘natural person’ (vs. a corporation, or other forms of unnatural people) and can include information such as a name, a photo, an email address (including work email address), bank details, posts on social networking websites, medical information, biometric, genetic and location data or even an IP address.

Sensitive data is any personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. Genetic data, data concerning health, or data concerning a natural person’s sex life or sexual orientation are also categories of sensitive data.

This definition is intentionally left open to include future stuff that hasn’t been used or applied in a practical sense or imagined yet. For instance, a hologram may qualify as personal data and at some level if a robotic device has access to the personal data of the operator, the device will also be included.

And no, I don’t know whether an AI powered human machine will be considered a natural person or whether they will have to re-write the regulation to include machine’s like Japan’s Shibuya Mirai which was given both residency and a birth certificate by the Japanese government. Perhaps Shibuya Mirai will object to its home address on the Line messaging app becoming public knowledge and choose to opt-out. Maybe the existing definition will cover an AI powered robot that develops political opinions and begins a blog, but that is probably a topic for another post.

The organizations affected are those

1.      That employ over 250 employees AND store personal data of individuals within EU states, or

2.      Organizations of ANY SIZE wherein processing of personal data is not occasional but occurs regularly as a part of the organization’s functional business model OR includes particular types of sensitive personal data, and

3.      Any organization that STORES personal data of those individuals within EU states, must comply with the GDPR, even if the organization is located or operates outside the EU.

A ‘data subject’ or ‘individual’ is one who is a citizen of any member country of the European Union – or – a resident (non-citizen) of any member country of the European Union, who may be a citizen in any other country.

Therefore, the only organizations that may receive a waiver of compliance are those who

1.      Employ fewer than 250 employees and DOES NOT store personal data of any Euro residents or citizens,

2.      An organization that only occasionally process personal data and does so on special occasions and the personal data that is processed does not fall into one of several specific categories,

3.      An organization who does not store any personal data of any citizen or resident of a member country of the European Union.

The regulation applies to any organization regardless of where they are located or where they operate, so, e.g., an organization with headquarter offices in New York who has employees located in London, even if there is no physical office in London, must comply. Or, using the same example, the organization does NOT have employees in London or anywhere else in Europe but DOES store and/or process personal or sensitive data on a routine basis on citizens or residents of EU member countries, in the form of customer data for example, must comply.

So, any database containing personal or sensitive data collected within the EU will be in scope, as will any media that contains personal or sensitive data. Any organization that has such data in its systems, regardless of business size or sector, will have to comply with the GDPR regulation.

So, at a macro level, this is the explanation of what is considered by the GDPR to be ‘personal data’ and which organizations will be considered ‘covered entities. However, since any processing of personal data within that territorial scope I defined is within the purview of the regulation, GDPR also recognizes that the processing of certain data is necessary for some organizations to perform their business functions (e.g., processing employee payment details for payroll purposes or sharing an address with a credit agency on an individual who has gone into arrears on a payment agreement. In cases such as these, the GDPR broadly specifies the lawful grounds on which organizations can process personal or sensitive data, which are too extensive to report on here and too broad to avoid the necessity for formal legal guidance.

This is where attending law school versus becoming an actual lawyer matters. If you operate a business where you process ‘personal data’ on qualifying citizens or employees for purposes as described in the preceding paragraph as examples, versus processing customer or research or any other say, third party analytics data for citizens or residents of EU member countries, you will need to consult your legal counsel for specific guidance about your particular circumstances. But you get the idea.

Caveat: This is not intended to be a complete explanation of the requirement and its coverage. For example, there is the whole issue about equal opportunity requirements frictioning against this regulation and possible exceptions for contractual exceptions. If you think that you have a contractual, statutory or other basis for collecting this information without explicit consent, you will also need to consult your legal counsel for specific guidance about your circumstances and how to address them.

Again, the law is in place to protect personal and sensitive individual data and to prevent it from becoming public. The jury is still out on robots.

?I hope this was helpful.