GDPR Compliance
A new era for personal data protection
What is the GDPR?
The General Data Protection Regulation (GDPR) is a major update to data privacy law. The new regulation, which took effect on 25 May 2018, defines the responsibilities of any entity within the EU that processes personal data and any entity, regardless of geographic location, that processes personal data to provide a product or service in the EU. And it clearly defines the rights of data subjects whose personal data is processed by these entities.
The GDPR replaces the Data Protection Directive 95/46/EC, which went into effect in 1995. That was basically before the internet. Considering all the changes that have taken place since then with respect to the collection and use of personal data, the GDPR is long overdue and brings personal data protection into the 21st century.
Transparency is a core value of the GDPR. In short, no one has the right to store and process our personal data without our knowledge and consent, with the exception of clearly specified situations.
The GDPR places more accountability on businesses to protect the personal data they collect or process. To achieve compliance, “privacy-by-design” and “privacy-by-default” are two concepts that must govern the development of all new products, systems, and processes. Further, the GDPR requires that businesses not only comply, but can clearly demonstrate their compliance. Serious breaches of compliance can result in fines of up to €20 million or 4% of global annual turnover, whichever is more.
SCHREMS II Decision
The Court of Justice of the European Union (“CJEU”) issued its decision in “Schrems II” on July 16 2020, a landmark decision that invalidates the EU-US Privacy Shield arrangement. Until the decision, Privacy Shield had served as an approved “adequacy” mechanism to protect cross-border transfers of personal data from the EU to the US under the EU General Data Protection Regulation (“GDPR”). The CJEU did not invalidate the European Commission’s standard contractual clauses (“SCCs”) for transfers to data processors, meaning they can still be used as a mechanism for transferring data outside the EU.
In delivering its services Scrive does not transfer personal data to the US and hosts personal data exclusively within the EU. Thus, the use of Scrive services is not affected by the CJEU decision to invalidate Privacy Shield.
On a general note however, we are aware that the interpretation and application of “Schrems II” is still developing and we believe a cautious approach is appropriate. We care deeply about privacy and information security and are closely monitoring every guidance from authorities and other developments.
Terminology
Data subject
Any identified or identifiable natural person.
Data controller
Any natural or legal person or other entity that determines the purposes and means of the processing of personal data. A company is a data controller with regards to personal data they hold about their employees, customers, suppliers, and others on their own behalf. A typical example is keeping and using personal data such as email addresses for their marketing purposes.
Data processor
An entity that processes personal data on behalf of a data controller. A typical example is a marketing automation vendor that sends out marketing emails on behalf of another company.
Personal Data
In general, “personal data” means any information that can be used to identify a person. The GDPR expands on previous legal definitions to include identifiers such as:
- genetic
- mental
- cultural
- economic
- social
Consent
The GDPR sets out stricter requirements for what constitutes consent when data subjects provide their personal data. A typical example is when a web site visitor opts in to an e-marketing campaign by supplying their email address.
The GDPR states that consent must be:
- freely given – an employer requesting personal data from an employee would not meet this requirement, due to the relationship
- specific – it must be clear that the data being collected will be used only for specific activities
- informed – the data subject must have sufficient information about those activities to make an informed decision
- unambiguous – “consent should be given by a clear affirmative act”; this is one of the most significant changes with the GDPR, as it means it’s no longer legal to gain a data subject’s consent by means such as offering a pre-ticked opt-in box
Data controllers have new compliance requirements, including:
- When soliciting consent, data controllers must use clear and plain language to communicate with data subjects.
- Consent must be verifiable. Businesses are required to maintain consent records that can be checked to verify:
- that the data subject has consented
- what they consented to
- when they consented
Data Subject Rights (DSR)
The GDPR defines various rights that all EU citizens have as data subjects. We all have the right to know who holds and processes our personal data, and for what purposes. We also have the right to:
- request a transcript of our personal data and receive it in a portable format
- correct any errors
- request that our data be permanently erased
- restrict the kinds of data that can be stored and processed
- restrict the ways our data can be processed
- withdraw our consent at any time
- be clearly informed of all these rights
In turn, data controllers are required to:
- make it just as easy for data subjects to withdraw their consent as it is to give it
- take all reasonable measures to verify the identity of data subjects making these requests
- respond to and fulfil these requests without undue delay (within one month of receipt of the request)
- erase personal data as soon as the purpose for which they collected it has expired (not dependent on requests from data subjects)
- ensure that their contracts with data processors specify that GDPR-compliant security measures are in place to protect personal data
Compliance Made Easier
Digitising your processes always makes compliance easier. But even if you’re already 100% paperless, the GDPR requires a number of changes to your systems and processes. Scrive can make that easier.
As both a data controller and a data processor, Scrive understands the challenges our customers face. As trusted partners in digital transformation, we provide elegant solutions that simplify your processes, lower costs and enhance your brand. In fact, we put Scrive solutions and expertise to work in our own operations, and that applies to our GDPR compliance too!