This article is a heavily opinionated piece of text written by someone completely unqualified to give legal advice in any context. It is merely intended to spark ideas on how to make an organisation compliant but should, under no circumstances, be used to create something with legal consequences.
When it comes to understanding the European Union (EU)’s General Data Protection Regulation or GDPR, there are three groups of people:
- Lawyers. They tend to be GDPR ninjas. They rarely use it directly, but they’ll be the first to spot if you abuse it.
- Business owners. They navigate their business in the sea of laws and regulations. To them, GDPR is a dangerous reef they want to avoid colliding with at all costs. The understanding they need is not perfect: it’s practical.
- Mortal humans. Creatures like me. They tend to be mere spectators. No ninja knowledge. No executive responsibility.
How do these groups gain knowledge on GDPR?
- For lawyers, there is the official text. They are trained to understand it and trust no other source than the law itself. The law is the perfect source of truth: it is comprehensive but not practical.
- Business owners are in a difficult position: they need sources to be both comprehensive and practical. Annoyingly, this is very hard to come by.
- For mortal humans, there are gossip and 2-minute “GDPR 101” videos. They are easy sources: they are practical but not comprehensive.
In this article, we (mortal humans) will dive into the law and try to extract the bits that will relieve business owners of stress.
GDPR Glossary
- DS data subject; the person whose data is being collected and processed
- PD personal data; any data by which DS can be directly or indirectly identified
- CTR controller; the organisation acting as the boss of the data process. CTR has main
responsibility over data handling. Only CTR appoints processor (PRC), who will
act on CTR’s behalf. CTR is responsible for choosing compliant PRC.
Quick sidenote: in VTEX’s context, CTR = client, PRC = VTEX, the reason
why clients ask for solid compliance from VTEX is because they would be blamed for
picking the wrong PRC.
- PRC processor; the organisation processing (tweaking) the data. PRC is appointed by the
CTR and can act only as the CTR (or the law) dictates.
- SA supervisory authority; the government-backed organisation overseeing the data
handling process. SA is the supreme boss and mitigator between DS, CTR and PRC.
SA can advise, warn, fine, certify, suspend, block, etc. when they find it necessary
(they are controlled by GDPR too, though, so they can’t be crazy)
- DPO data protection officer; data boss of CTR+PRC. DPO is the connector between CTR,
PRC, DS and SA. DPO’s details are publicly available (ours is Luiza Amorim, check
out her LinkedIn profile here).
Where does GDPR apply and who does it protect?
You’ve probably heard that it protects data but it’s worth noting two things: GDPR only goes as far as the personal data of “living natural persons”. This means that the regulation probably doesn’t protect your great-grandmother’s second uncle’s dad’s privacy, nor the financial data of your startup venture.
Since it’s a law of the EU, you’d expect that as soon as you board a plane for Sydney, you can forget about it. Actually, this is a tad more complicated than that (apart from the fact that most EU airports don’t connect directly with Sydney). GDPR applies when:
- The data subject is in the EU. Here, it doesn’t matter where the controller or processor are.
- If the controller is outside EU but in a place where “Member State law applies by virtue of public international law”
- Controller or a processor has an establishment in the EU (regardless of where they actually process personal data).
- Data subject’s activity inside EU monitored
- Processing personal data is related to offering goods or services (whether or not payment is made).
“In an activity which falls outside the scope of Union law”, it does not apply. This simply means that it doesn’t apply everywhere.
Now we may think that the controller and processor can play around the law by not being in the EU at all, but GDPR clearly says that in this case, they need to appoint an official representative who will be in the EU.
National security, public interest, compliance with law and freedom of expression and information overrides GDPR. But we need to be careful here. First, it is clear that we can’t start suing people for gossiping, which is fair enough. However, GDPR explicitly warns that freedom of expression must not result in abuse of personal data that can harm the data subject.
What does GDPR tell me to do?
GDPR regulates how data is handled and it basically restricts how much data can be collected, used, etc. This makes things difficult but it is with the intention of protecting individuals’ personal data. GDPR’s guiding principle is data minimisation. It means that all data you keep about a data subject must be necessary for the controller. You can only use this data for the purpose you collected them for, and as soon as you don’t need them, you must delete it.
Cooperating with the data subject
Since GDPR is all about protecting the data subject ’s privacy, let’s see what rights the regulation gives them.
Collecting
Before collecting the data, there’s a few boxes to check – quite literally.
Before anything happens, the data subject must agree that you’ll use their data. This consent is actively given – no pre-ticked boxes! When you want to use the collected personal data for more than one purpose, you need to ask permission for each purpose separately. When collecting personal data, the controller shares with the data subject why they collect the data, how they will process and protect them, the DPO’s details, etc. This should be written in simple language so the data subject can understand it easily.
Processing
Once personal data are collected, processing can begin. However, transparency is still key. The owner of this data can have regular access to how, where and what data are kept/processed about them. This info should be given free of charge, unless the request is “manifestly unfounded or excessive”. This is how lawyers say “too much”. So a controller can charge a “reasonable fee” for, or simply refuse annoying requests. On the other hand, the controller then needs to prove why exactly it was annoying.
Saying no – AKA the right to be forgotten
Stop using my data!
The most famous result of the GDPR is the right to be forgotten. First of all, the data subject can say no to processing anytime, even after you start processing their personal data. In this case, the controller has to act within 1 month and completely free of charge.
Please, delete my data!
Furthermore, they can also ask the controller to delete their data. This is more difficult as, for instance on social media, the data subject might have agreed to publishing their data. In this case the controller has to “take reasonable steps” to make sure that the data gets deleted.
What does GDPR mean by “reasonable steps”?
“Reasonable” is a tricky word. GDPR uses it here because it’s not always possible to delete all of someone’s data from everywhere. And even if it is, it might be crazy expensive. GDPR understands it and gives a little leeway to controllers. But remember, as easy it is to define “reasonable”, it’s just as hard to defend your definition. So when a business decides what reasonable steps to take to delete some personal data, they have to be prepared to defend that in court, should the data subject not be satisfied.
What the data subject cannot decide about data processing
We can see that the data subject has a lot of power in the process and they can step in anytime to stop someone from using their data. However, their power is not endless. For instance, when creating statistics, the personal data of thousands or millions of data subjects are processed together. Together is the key differentiator here! Statistics are rarely about one person, so nobody would ever single out someone in such processes (It’s like being a drop in the ocean). Statistics are usually for the greater good (imagine the daily figures on Covid-19), so it would be impractical and damaging if data subjects could refuse to give their data. The result is a compromise: when it’s for statistics only, the data subject doesn’t have much freedom in giving consent/restricting processing, but the controller must make sure that no individual data leaks out (all drops stay in the ocean).
Remember that public interest, national security and law weaken the scope of GDPR. This is because authorities need to handle data of citizens and they can’t just ask for permissions every day – imagine how crazy life would become. Also think about lawsuits, treating patients, preventing epidemics and so on. If you ever read GDPR you’ll see that it’s full of exceptions when it touches one of these factors. So generally speaking, the DS can’t tell controllers and processors not to process their data when it’s for an official/legal purpose. However, there’s an exception. The data subject can reject a decision based only on automated processing, including profiling, which affects them legally or in another significant way.
What if something goes wrong with data?
GDPR’s Article 33 describes what to do in case of a data breach.
- Processor should warn Controller
- Controller should report to supervisory authority, including:
- Description the event
- Details of DPO
- Likely consequences
- Measures taken to mitigate damage
- This should all happen within 72 hours of breach
Who pays when things go wrong and how much?
Hefty fines
As you would expect, if an organisation profits from an infringement, they’ll have to pay it back in form of a fine. But this is not even close to all the money they’ll have to pay.
The real punishment for a data breach: administrative fines and penalties.
- Administrative fines can go up to €20 million or 4% of the total worldwide annual turnover – whichever is the highest.
- If this is not enough, penalties come on top of this. Penalties are defined and enforced by each Member State separately. As one admin fine + penalty combo can kill off a company, this is a solid motivator to always be GDPR compliant.
Penalties and fines are given as “up to” a certain maximum, but the real value will depend on how much of “a good girl/boy you have been” (e.g. cooperation with supervisory authority, your infringements in the past, if you’ve followed advice of supervisory authority, steps you took to save the situation after the breach, etc.). Remember this when we get to How to stay on the safe side.
If the data subject suffers damage from a data breach, they will be fully compensated by the controller or the processor.
“In a case of a minor infringement or if the fine likely to be imposed would constitute a disproportionate burden to a natural person, a reprimand may be issued instead of a fine.” Responsibility
It will, of course, get to the point of who is responsible. Chances of both the controller and the processor getting away without punishment are very slim. It can only happen if they prove that they did literally everything right. In most cases of a data breach, the controller will be responsible. The processor is safe if they’ve complied with:
- the GDPR chapter dedicated to processors and
- the controllers’ instructions.
If there are multiple controllers or processors, one of them pays the compensation and then claims the fair share back from each fellow controllers or processors.
How to stay on the safe side?
The general rule of thumb: comply with the rules as much as you can. The law can be vague and if you read through it, it becomes clear that it is not safe to stretch the rules or be “just about compliant”. Remember that if something happens, the amount you’ll pay heavily depends on how much you’ve tried to comply. If the supervisory authority sees that you’ve been balancing on the edge of the law, your shareholders will probably lose their hair.
GDPR likes using the term “reasonable steps”. This means “considering costs of implementation and the state of the art”. Compliance measures (e.g. protection procedures, breach mitigation, etc.) are usually labelled “reasonable”. This is super vague but, in all fairness, how could it be more specific?
- Communicate. Keep in touch with data subject and supervisory authority. If anything goes wrong, the right info must go to the right person, very quickly. Being lazy here is deadly expensive.
- Document everything: how you keep the data, how you process it, how you protect it, any failures, communications, etc. Many times, you’ll have to use these documents to prove your compliance.
- Pseudonymisation is an encryption method. This is one of the best ways to protect PD but also one of the hardest to implement. Encrypting and deciphering millions of data instances a day – in real time – can slow down service very significantly. An ecommerce platform can hardly afford to be slow…
Is it the same everywhere in the EU?
No. Member States can further restrict and GDPR actually encourages them to do that. This is quite European, actually. Since the EU is made up of a lot of sovereign states, there is a tendency to leave high autonomy to individual countries even in such universal and strict legislations as the GDPR. Germany’s example describes it quite well. Since it’s a federal republic within the EU, a German business will have to comply not only with GDPR, but also with German federal law AND local state law.
You would think, “okay, this seems complicated but relatively straightforward and reasonable”. I agree. But there are exceptions: “Member States shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression.” Again, this is law lingo for “you can’t kill poetry with data protection”.
They explain that Member States can introduce exemptions and derogations to GDPR. Now let’s stop for a moment here. So is it true that Member States can be stricter but also less strict? Well, the answer is… yes. We can view GDPR as a default law in the EU. However, since Member States can be harsher or more easy-going at their discretion, it is not enough to comply with GDPR, but we’ll always need to know the privacy laws of every country we operate in.
So the EU made this law and that’s it?
Not exactly. Since technology is changing and GDPR produces real-life cases, the law will be reviewed every 4 years.
Since now everybody is super keen to comply, the EU has an official body to help with this: the European Data Protection Board. It can:
- issue guidelines and best practices on how to be GDPR-compliant and
- issue certificates for GDPR-compliant organisations
In case of any updates, it’s worth checking the Official Journal of the European Union. It publishes a list of countries where data protection is not guaranteed. It’s important to keep this in mind because the European Commission can prohibit PD transfer to these places.
Conclusion
There is more to GDPR than what we’ve seen here, but not much more. It’s 134 A4 pages’ worth so if you want to know all the details, feel free to read it. If you decide, however, not to read it just yet, then we’ll recommend you:
- Use this article to come up with a strategy that will make you GDPR-compliant;
- Once you have this first draft, show it to your lawyer before implementing anything. They won’t necessarily help you become compliant per se, but they can definitely check if you are. There is no better person to show you the gaps than a lawyer.
- Iterate the process of tweaking your solution and aligning with your lawyer.
- Once you’re ready, why not get the Seal? It’s the most powerful way to prove your compliance and it’s valid for 3 years (it can be renewed)
You’re all set. Time to write that privacy policy…