The GDPR (General Data Protection Regulation) is an EU Regulation that significantly enhances the protection of the personal data of EU citizens and increases the obligations on organisations who collect or process personal data. The regulation builds on many of the 1995 Directive’s requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations. The regulate came into effect on May 25th, 2018.
You've likely heard a lot about the GDPR in 2018, but did you know we've had data protection legislation in the EU for quite a while already? Although the 1995 EU Data Protection Directive was replaced by the GPDR in May 2018, the Directive sets out the eight data protection principles which have been governing the treatment of personal data by
The GDPR applies to businesses that a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
Disclaimer: This website is neither a magnum opus on EU data privacy nor legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how HubSpot has addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.
Consent
The GDPR steps up the standard for disclosures when obtaining consent, as it needs to be “freely given, specific, informed and unambiguous,” with controllers using “clear and plain” legal language that is “clearly distinguishable from other matters”. Controllers will also be required to provide evidence that their processes are compliant and followed in each case.
Essentially, your customer cannot be forced into consent, or be unaware that they are consenting to processing of their personal data. They must also know exactly what they are consenting to and they must be informed in advance of their right to withdraw that consent. Obtaining consent requires a positive indication of agreement – it cannot be inferred from silence, pre-ticked boxes or inactivity. This means that informing the user during the opt-in is becoming more important.
New Rights for Individuals
The regulation also builds in two new rights for data subjects: a "right to be forgotten" that requires controllers to alert downstream recipients of deletion requests and a "right to data portability" that allows data subjects to demand a copy of their data in a common format. These two rights make it easier for users to request that any information stored should be deleted or that information that has been collected should be shared with them.
Access Requests
Data subjects always had a right to request access to their data. But the GDPR enhances these rights. In most cases, you will not be able to charge for processing an access request, unless you can demonstrate that the cost will be excessive. The timescale for processing an access request will also drop to a one month period (but this can be extended a further two months in some circumstances. In certain cases, organizations may refuse to grant an access request, for example where the request is deemed manifestly unfounded or excessive. However, organizations will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria.
Privacy by Design and DPIA
There are several new principles for entities that handle personal data, including a requirement to build in data privacy "by design" when developing new systems and an obligation to perform a Data Privacy Impact Assessment (DPIA) when processing using "new technologies" or in risky ways. A DPIA is the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals so that potential privacy issues can be identified before they arise, giving the organization time to come up with a way to mitigate them before the project is underway.
Data Privacy Officer
On the security side, the GDPR requires many businesses to have a Data Privacy Officer (DPO) to help oversee their compliance efforts. Organizations requiring DPOs include public authorities, organizations whose activities involve the regular and systematic monitoring of data subjects on a large scale, or organizations who process sensitive personal data on a large scale.
Contracts & Privacy Documentation
Since the GDPR is all about transparency and fairness, Controllers and Processors need to review their Privacy Notices, Privacy Statements, and any internal data policies to ensure they meet the requirements under the GDPR. If a Controller engages third party vendors to process the personal data under their control, they need to ensure their contracts with those Processors are updated to include the new, mandatory Processor provisions set out in Article 28 of the Regulation. Similarly, Processors should consider what changes they’ll need to make to their customer contracts to be GDPR compliant.
One-Stop Shop
One particular item in the GDPR should serve to make the lives of these Data Protection Officers easier: the GDPR’s new "one stop shop" provision, under which organizations with offices in multiple EU countries will have a "lead supervisory authority" to act as a central point of enforcement so they don’t struggle with inconsistent directions from multiple supervisory authorities.
Reporting Breaches
The GDPR contains a requirement that controllers must notify their country’s supervisory authority of a personal data breach within 72 hours of learning of it unless the data was anonymized or encrypted. In practice, this will mean that most data breaches must be reported to the Data Protection Commissioner. Breaches that are likely to bring harm to an individual – such as identity theft or breach of confidentiality – must also be reported to the individuals concerned.
Scope
The GDPR applies to non-EU businesses who market their products to people in the EU or who monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR likely applies to you.
Accountability
This concept requires Controllers and Processors to be able to demonstrate their compliance with the GDPR to their local supervisory authority. Processes should be recorded, implemented and reviewed on a regular basis. Staff should be trained and appropriate technical and organizational measures should be taken to ensure and demonstrate compliance.
Severe Penalties
The importance of the GDPR’s new provisions is underscored by the new penalties it imposes for violations. Depending on the type of violation in question, controllers and processors who mishandle personal data or otherwise violate data subjects’ rights could incur fines of up to €20 million or 4% of their global annual turnover (whichever is greater).
If you’re already a HubSpot customer or partner, please contact your account manager if you have any further questions, comments or suggestions.
Although the DPD was replaced by the GPDR, it sets out the eight data protection principles which the GDPR builds on. These rules govern how organizations should treat personal data and are set out below:
The DPD was a Directive, which is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals. In Ireland for example, the goals of the DPD were implemented through the Irish Data Protection Act, 1998.
A Regulation on the other hand, such as the GDPR, is a binding legislative act which applies in its entirety across the EU.
In June 2016, a majority of UK voters voted in favour of leaving the EU in the "Brexit" referendum. In March 2017, Theresa May gave notice to leave the EU under Art. 50 which triggered the commencement of the Brexit negotiations. This regulator resource may be helpful as the terms of Brexit morph over time: https://ico.org.uk/for-organisations/data-protection-and-brexit/
If you’re based outside the UK but have vendors or affiliates in the UK with whom you share personal data, you’ll also need to keep an eye on developments in this area. When the UK leaves, cross-border data flows may not automatically have adequate safeguards and therefore additional projections may be required to protect data you transfer to the UK.
Individuals already had a lot of rights which protected their personal data under the 1995 Data Protection Directive, but the GDPR significantly strengthened these rights such that data subjects can now:
No. There is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU will not change. This means that, as long as the personal data is "adequately protected", data may be transferred abroad. For example, the EU has prepared a list of countries which they deem to provide an adequate standard of protection (known as "white listed countries"), so it is permissible to transfer data to those countries. Where a country is not on that EU list (for example, the USA), the controller must rely on use of approved contractual provisions (e.g. the Model Clauses or Corporate Binding Rules) or one of the other alternative measures, provided for in Law, such as the Privacy Shield certification.
We've compiled a list of additional sites for more information around the new regulation down below. Please feel free to check them out.
The Irish Data Protection Commissioner's GDPR website
Guidance from the German Federal Commissioner for Data Protections' on the GDPR here
HubSpot's GDPR compliance functionality here
EU Data Protection Supervisor here
HubSpot’s Security Program page
Find your Supervisory Authority here
Full text of the GDPR here
Full text of the GDPR in German here
The EU’s GDPR website
How prepared were others for the GDPR? What do consumers think about the changes? Find out more in our research!
In this lesson, you will learn what the GDPR is, the changes that will help protect personal data and the impact GDPR has on the world of inbound marketing and sales. You will explore the changes that you may need to make for your business and how to best prepare for GDPR.
For our customers and partners, HubSpot created a free GDPR compliance checklist to determine your next steps.
Find out how consumers and marketers view the GDPR. We've surveyed over 3,000 consumers to give you the best insights.
The GPDR was written by lawyers, so it should come as no surprise that it’s got a good bit of legal jargon sprinkled in there. But don't worry, our glossary will help you understand the most important definitions.