With the European Union’s General Data Protection Regulation (GDPR) going into effect on May 25, 2018, there are a lot of questions on both sides of the pond. Many US-based companies are asking, “does this affect us?” “Should we be looking at our compliance and security efforts with the GDPR in mind?” The answer is, probably! The GDPR will have an effect on most companies. If not at the exact moment the regulation is enforced, it is still important to understand and prepare for the new regulation for future protocol. In the age of social media, high-speed internet, and global commerce, eventually, the GDPR will affect you and your business.
What data is protected under the GDPR?
All personal data is protected under the GDPR. Article 4 (1) of the GDPR states:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
This definition is very broad and all-encompassing. Personal data, as covered under the GDPR, includes:
1. Any information related to an identified persons.
a. Driver’s license, employee ID, background check, credit score
b. Date of birth, address, phone number, email address
2. Any information related to an identifiable person.
With the simple addition of “identifiable,” data that could directly or indirectly lead to the identification of a natural person also becomes protected.
For example, let’s say Jane Smith purchases a vegan meal every day for lunch at a specialty deli. If Jane purchases her meal with a credit card, her credit card information makes her directly identifiable to the deli. It also means her purchase history, (e.g. deli location, date and time, amount paid and meal preferences) all become personal data, due to the fact that at that given time, you could potentially identify Jane with this data.
Other data may be considered personal data
There are other instances where collected data could fall within the personal data category:
1. Recital 24 states: The processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union should also be subject to this Regulation when it is related to the monitoring of the behavior of such data subjects in so far as their behavior takes place within the Union. In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours, and attitudes.
2. Recital 30 clarifies “online identifier” as mentioned in the Article 4 definition of personal data as: Natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
This is where it becomes a bit tricky. In this instance, Jane is in a large retail store. Is the in-store Wi-Fi tracking data considered identifiable information? In this circumstance, retail stores use Wi-Fi scanners to track shoppers’ smartphones. As the shopper walks through the store, the scanner collects data such as device type, MAC address, new or repeat shopper, and in what section of the store they spend the most time.
Behavioral Analysis: The data collected by the retail store is being used for understanding the behaviors of their shoppers. Therefore it will most likely qualify as personal data.
Online Identifier: In this instance, the collected data would also fall under the online identifier, due to the fact that the retail store is collecting MAC addresses which are very similar to IP addresses.
Consent for data capture
Data capture will most likely have the largest impact in the initial wake of the GDPR going into effect. With data capture being an essential part of many businesses, the GDPR has strict requirements on what consent for data capture really means. The GDPR states, “[c]onsent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data related to him or her.”
No longer will companies be able to automatically opt people into receiving their newsletter and gone are the days of the pre-checked boxes that flood your email with coupons.
The consent needed does not stop there, every time you request new data, especially if it will be used for a different purpose, additional consent is required. A one-time ‘blanket consent’ will no longer be acceptable, and an explanation of planned data processes must be given when requesting consent.
There are also a few instances where explicit consent is required. When dealing with parental authorization for children under the age of 13 as well as special categories of personal data, such as ethnicity, religion, political affiliation, medical information, and sexual orientation.
The right to be forgotten
Also covered in the GDPR, is the right to be forgotten, or the right to erasure. This means that consent can be withdrawn and revoked at any time. Once an individual requests their data be removed or deleted, a business must comply unless a compelling reason has them continuing to process the data. Under Article 17 of the GDPR, the right to erasure applies when:
• The personal data is no longer necessary or relevant in relation to the purpose for which it was originally collected.
• The individual specifically withdraws consent to processing, and if there is no other justification or legitimate interest for continued processing.
• Personal data has been unlawfully processed, in breach of GDPR.
• The data must be erased in order for a controller to comply with legal obligations. For example, the deletion of certain data after a set period of time.
It is also the responsibility of the controller to take “all reasonable steps” necessary to have the data deleted from any third parties that may have had access to the data.
How could it effect my US-based business?
Article 3 of the GDPR states:
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
a. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
b. the monitoring of their behavior as far as their behavior takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
To summarize, if your company collects personal data or behavioral information from someone in an EU country, your company is held to GDPR standards. The GDPR applies to data collected from subjects in EU. It does not apply to data collected from EU subjects not in EU, at the time of data collection. EU citizens on vacation for instance, purchasing or registering for something while in the U.S. are not privy to the GDPR.
For more information on GDPR compliance and security measures, or to schedule a full risk assessment on your organization, contact Crossroads Technologies, Advisory Services Division, at
1 (800) 548-3893 or This email address is being protected from spambots. You need JavaScript enabled to view it..
Articles You Might Find Interesting:
Net Neutrality and The Cloud
What could the Lack of Net Neutrality Mean for You?-Video
Update Your Cyber Security Measures in 2018
A Closer Look at the New CMS Texting Guidelines for Healthcare
Share this article: