publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/817020
30 WWW.ILTANET.ORG | ILTA WHITE PAPER MARKETING AND BUSINESS DEVELOPMENT A Worldwide Law: The EU, the GDPR and You data reflects the changes in technology and how organizations collect personal data. Individual Rights The GDPR gives individuals of the EU control over how their data are used. Consent for the use of personal data needs to be informed, specific and unambiguous. This could put an end to long user agreements that hardly anyone reads. Consumers cannot be asked to agree to contract terms in exchange for their consent either. In addition to that, different types of data will require separate consent to avoid an "all or nothing" choice to individuals. Silence or inactivity does not constitute consent. Another right that the people of the EU will have is the right to access their data. Data subjects may obtain from the data controller information on how their data are being used. The controller must provide this information with a copy of their personal data, free of charge, in an electronic format. This is meant to empower individuals and make the use of personal data more transparent. Just as an individual may access their personal data under the GDPR, they can also ask that they "be forgoen" and controllers must erase all the personal data, cease further use of the data and halt any third-party use. Data Breach Notification and Penalties Under the DPD, EU member states could adopt different data breach notification laws. When companies suffered data breaches, they had to research and ensure compliance within each member state. With the adoption of the GDPR, there will be a single requirement to DPD and the GDPR is the addition of regulation of data processors. Data processors are defined as "the natural legal person, public authority, agency or other body, which processes data on behalf of the controller." Previously, under the DPD, only data controllers were held accountable for anything that went wrong. Under the GDPR, data processors will be required to have a contract with the data controller to process personal data. Thus, processors will also be liable. To emphasize the accountability of both data processors and data controllers, a data protection officer must be designated. A data protection officer must be appointed when the core activities of the controller or processor involve "regular and systematic monitoring of data subjects on a large scale." This officer can be an established employee within your company. Both controllers and processors will be required to maintain documentation describing data protection policies and keep record of their data processing activities. They will also be required to conduct impact assessments where there is a high risk of data breach. Personal Data Redefined The most important change from the GDPR is the definition of personal data. Where personal data defined in the DPD included a person's name, photo, email address, phone number, address or any personal identification number (social security, bank account, etc.), it will have a much broader definition under the GDPR. Things like IP addresses, mobile device identifiers, geo-location and biometric data will constitute personal data. In addition, an individual's physical, psychological, genetic, mental, economic, cultural, or social identity are also covered by the GDPR. The change in the definition of personal PERSONAL DATA UNDER THE GDPR • Name • Photo • Email Address • Phone Number • Address • Personal Identification Numbers • IP Addresses • Mobile Device Identifiers • Geo-Location • Biometric Data • Physiological Identity • Genetic Identity • Economic Status • Cultural Identity • Social Identity