Data Privacy Radar: GDPR 101, What Who Why

The Data Privacy Radar is an ongoing series by our data privacy team to explore compliance and information governance issues for organizations around the world. Check out the other Data Privacy Radar posts on our global approach, our perspective on federal compliance, and a commentary on the Cloud Computing Compliance Controls Catalogue (C5).

On May 25, 2018, the General Data Protection Regulation (“GDPR”) will bring into effect “the most important change in data privacy in 20 years” (EUGDPR.org). The GDPR will affect all organizations worldwide that deal with European customers, partners, or vendors.

All organizations that touch European citizen data will have to comply. Are you ready?

What is the GDPR?

The GDPR is the latest data protection regulation that was approved by the EU Parliament on 14 April 2016. When it comes into effect on May 25, 2018, it will replace the current Data Protection Directive 95/46/EC.

Who is affected by the GDPR?

The scope of the GDPR is expansive. It covers personal data of all EU citizens and provides comprehensive rights to data subjects, including the right to erasure of data and the right to request more information around processing.

Failures to comply with the GDPR can result in fines up to €20 million or 4% of a company’s total global revenue for the preceding fiscal year, whichever is greater.

Why was the GDPR created?

The purpose of the GDPR is three-fold:

1) to harmonize data privacy laws and regulations across the EU
2) to protect EU citizens in the area of data privacy
3) to reshape the way organizations across the region (and beyond) approach data privacy

What are the three most notable changes to data privacy?

1. The “Who” Gets Expanded (e.g., Scope of Applicability)

The scope of applicability of the GDPR will be determined by the processing activities of a company itself, rather than where a company is established legally. In other words, even if a company is not legally established within the EU, the GDPR still applies if the company processes EU data subjects’ personal data relative “to the offering of goods or services” ((Art 3(2)(a)) or “the monitoring of their behaviour” (Art 3(2)(b)) if the behavior monitored takes place within the EU.

For example, let’s say a manufacturer of toys, Toys4You, is headquarted in New Jersey and sells its toys worldwide. Toys4You also has customers in France, emails with these French customers and stores their shipping information. Because Toys4You collects and processes the data of these French citizens, the toy manufacturer is subject to the GDPR.

2. The “What” Gets Expanded (e.g., Scope of “Personal Data”)

Under the GDPR, the term “Personal Data” is defined as “…any information relating to an identified or identifable natural person”. While the GDPR definition appears to be simple, it actually references a number of identifers including online identifiers, such as IP address, cookies and RFID tags. This means even online identifiers, including IP address, are considered a form of personal data even if the company processing the data cannot identify a natural person using the information alone.

For example, let’s say Toys4You has a website that is accessible in different languages, including French. If a French customer accesses the website from an IP address that is registered in France, the website is served in the French language. Although Toys4You can’t identify the customer using the IP address alone, the processing of the IP address still falls under the jurisdiction of the GDPR.

3. The “Responsible Party” Gets Expanded

Unlike other data privacy directives, the GDPR also governs data processors, as well as data controllers. Under the Directive, only data controllers (entities that are responsible for determining the purposes and means of the data processing) are regulated, while making no obligations of data processors (entities processing personal data under the direction of and on behalf of data controllers).

Under the GDPR, processors must comply with a number of requirements including maintaining adequate documentation, implementing appropriate security standards and complying with rules on international data transfers. In addition, processors are required to enter into a written data processing agreement with controllers that state they meet the requirements under GDPR. Failures to meet the processor requirements under the GDPR may result in sanctions and/or privacy claims by individuals for compensation.

For example, let’s say Toys4You uses a market research company, who analyses the data of the toy company’s current and prospective customers. Since the market research firm deals with the French customer data, it’s subject to the obligations of the GDPR.

Please note that these are just a few of many changes in the GDPR.

One of our goals is to make critical changes to compliance more approachable for our customers, so that they can focus on their mission. To find out more about how we help compliance, legal, and security team address their data privacy concerns, learn more about Box Security and Compliance. Also, see how Box can help organizations address in-region data residency concerns by downloading our Box Zones datasheet.