An overview of the new privacy and data protection laws that enter into effect on May 25, 2018, and a few best practices towards GDPR compliance
The GDPR is the most important change in data privacy regulation in decades. Companies are working to implement sweeping changes to their systems and contracts, and those running on compliant and privacy-conscious platforms have a head start. This guide aims to help our users understand the GDPR’s widespread consequences, the opportunity it affords to improve data processing activities, and how to become and remain GDPR-compliant.
The fine print: This GDPR Guide is for informational purposes only. It is not legal advice. Please reach out to your legal counsel to receive tailored guidance on how the GDPR may impact your business.
What is GDPR?
The General Data Protection Regulation (“GDPR”) is a new, EU-wide privacy and data protection law. It calls for more granular privacy guardrails in an organization’s systems, more nuanced data protection agreements, and more consumer-friendly and detailed disclosures about an organization’s privacy and data protection practices.
The GDPR replaces the EU’s current data protection legal framework from 1995 (commonly known as the “Data Protection Directive”). The Data Protection Directive required transposition into EU Member national law, which led to a fragmented EU data protection law landscape. The GDPR is an EU regulation that has direct legal effect in all EU Member States, i.e., it does not need to be transposed into an EU Member States’ national law in order to become binding. This will enhance consistency and harmonious application of the law in the EU.
THE GDPR CAN APPLY TO ORGANISATIONS LOCATED OUTSIDE THE EU
Unlike the Data Protection Directive, the GDPR is relevant to any globally operating company, not just those located in the EU. Under the GDPR, organizations may be in scope if (i) the organization is established in the EU, or (ii) the organization is not established in the EU but the data processing activities are with regard to EU individuals and relate to the offering of goods and services to them or the monitoring of their behavior.
PROCESSING PERSONAL DATA IS A BROAD CONCEPT UNDER THE GDPR
The GDPR governs how personal data of EU individuals may be processed by organizations. “Personal data” and “processing” are frequently used terms in the legislation, and understanding their particular meanings under the GDPR illuminates the true reach of this law:
Personal data is any information relating to an identified or identifiable individual. This is a very broad concept because it includes any information that could be used on its own, or in combination with other pieces of information, to identify a person. Personal data is not just a person’s name or email address. It can also encompass information such as financial information or even, in some cases, an IP address. Moreover, certain categories of personal data are given a higher level of data protection because of their sensitive nature. These categories of data are information about an individual’s racial and ethnic origin, political opinions, religious and philosophical beliefs, trade union membership, genetic data, biometric data, health data, information about person’s sex life or sexual orientation, and criminal record information.
Processing of personal data is the key activity that triggers obligations under the GDPR. Processing means any operation or set of operations that is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. In practical terms, this means any process that stores or consults personal data is considered processing.
Key concepts: data controllers and data processors
In EU data protection law, there are two types of entities that can process personal data — the data controller and the data processor.
The data controller (“controller”) is the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data. The data processor(“processor”) is the entity which processes personal data on behalf of the controller.
It is important to determine whether the entity processing personal data for each data processing activity is a controller or a processor. This mapping exercise enables an organization to understand what rights and obligations attach to each of its data processing operations.
Stripe has certain data processing activities for which it acts as a data controller, and others for which it acts as a data processor. A good illustration of this dual role is when Stripe processes credit card transactions. Facilitating a transaction requires the processing of personal data, such as the cardholder’s name, credit card number, the credit card expiry date, and CVC code. The cardholder’s data is sent from the Stripe user to Stripe via the Stripe API (or by some other integration method, such as Stripe Elements). Stripe then uses the data to complete the transaction within the systems of the credit card networks, which is a function that Stripe performs as a data processor. However, Stripe also uses the data to comply with its regulatory obligations (such as Know Your Customer (“KYC”) and Anti Money Laundering (“AML”), and in this role Stripe is a data controller.
Legal basis for processing personal data in the GDPR
The next consideration is to determine whether or not a particular processing activity is GDPR-compliant. Under the GDPR, every data processing activity, performed as a controller or processor, needs to rely on a legal basis. The GDPR recognizes a total of six legal bases for processing EU individuals’ personal data (in the GDPR, EU individuals are referred to as “data subjects”). Those six legal bases, in the order of Art. 6 (1) (a) to (f) GDPR, are:
The data subject has givenCONSENT to the processing of his or her personal data for one or more specific purposes;
The processing is NECESSARY FOR THE PERFORMANCE OF A CONTRACT to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
The processing is necessary for the COMPLIANCE WITH A LEGAL OBLIGATION to which the controller is subject;
The processing is necessary to PROTECT A VITAL INTEREST of the data subject;
The data processing is necessary for the performance of a task carried out in the PUBLIC INTERESTor in the EXERCISE OF OFFICIAL AUTHORITY; or
The processing is necessary for the LEGITIMATE INTERESTS pursued by the entity, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require personal data protection.
There are similarities between the GDPR permitted processing list and the list contained in the Data Protection Directive. However, there are also significant divergences.
The most frequently discussed change made by the GDPR, when compared to the Data Protection Directive, is the tightening of the consent requirements (item 1 in the above list). The GDPR consent requirements include elements such as (i) the requirement that consent be verifiable, (ii) the request for consent must be clearly distinguishable from other matters, and (iii) the data subjects must be informed of their right to withdraw consent. It is also important to be mindful that an even higher consent requirement (“explicit consent”) is imposed with respect to the processing of sensitive data.
Another important item to highlight is the legitimate interest item (item 6 in the above list). When relying on “legitimate interest” as supporting the processing of personal data, an organization needs to be aware of the balancing test requirement associated with this legal basis. To satisfy the Accountability Principle under the GDPR, an organization must document its compliance with the balancing test, which includes its approach and the arguments that it considered prior to it concluding that the balancing test was satisfied.
INDIVIDUALS' RIGHTS UNDER THE GDPR
Under the Data Protection Directive, individuals were guaranteed certain basic rights with regard to their personal data. Individuals’ rights continue to apply under the GDPR, subject to some clarifying amendments. The below chart compares individuals’ rights under the Data Protection Directive and the GDPR.
DATA SUBJECT ACCESS REQUEST Individuals have the right to know whether their personal data are being processed, what and how personal data about them is being processed, and what the data processing operations are. The extent of this right has been expanded under the GDPR. For example, when making an access request, individuals must receive additional information, including information about their additional data protection rights under the GDPR that did not exist before, such as the right to data portability.
RIGHT TO OBJECT An individual may prohibit certain data processing operations where he or she has compelling legitimate grounds. Individuals may also object to the processing of their personal data for direct marketing purposes. The GDPR has broadened the scope of this right in comparison to the Data Protection Directive.
RIGHT TO RECTIFICATION OR ERASURE Individuals may request that incomplete data be completed or that incorrect data be corrected to ensure that the processing of personal data be in compliance with applicable data protection principles. The GDPR position is materially the same as the Data Protection Directive, but some procedural protections are increased under the GDPR.
RIGHT TO RESTRICTION No right to restrict processing. However, the Data Protection Directive provides individuals the right to request the blocking of their personal data where the processing operations are not in compliance with data protection principles, for example when data are incomplete or inaccurate. The GDPR offers individuals the right to request the restriction of the processing of their personal data in certain circumstances, including where the individual contests the accuracy of the data.
RIGHT TO ERASURE (“RIGHT TO BE FORGOTTEN”) Individuals have the right to seek erasure of their personal data if the processing operations were not in compliance with data protection principles. Therefore, this right is very narrow. The GDPR has expanded this right substantially. For example, the right to erasure can be exercised when personal data is no longer necessary in relation to the purposes for which it was collected, or the individual withdraws consent to the processing and no other legal basis supports continued processing.
RIGHT TO DATA PORTABILITY The Data Protection Directive does not explicitly mention “data portability” as a right of a data subject. EU Member State laws may have implemented additional rights akin to a right for data portability on a national level. Individuals may request that personal data held by one data controller be provided to themselves or another controller.
INTERNATIONAL DATA TRANSFERS
The topic of international data flows has been a hot topic in recent years, and there has been considerable debate and law reform in this area. It is also close to certain that the laws around international data flows will continue to evolve in the coming years. Today under EU data protection law, certain requirements need to be satisfied before EU individuals’ personal data may be transferred outside the EU, unless the organization receiving the personal data is located in a whitelisted jurisdiction (see here for whitelisted jurisdictions).
Under the GDPR, international data transfers are a challenging topic to manage because the law keeps evolving and there are only a handful of data transfer mechanisms available. While challenging, organizations need to keep current with the developments because the compliant flow of personal data is the backbone of any technology company.
One particularly important mechanism for personal data flows from the EU to the United States is the Privacy Shield framework. The EU-US and Swiss-US Privacy Shield is a method of ensuring that an organization offers an adequate level of data protection, by requiring that an organization certify and register according to the requirements of the Privacy Shield framework. As noted above, international data flows continue to be an area of potential future law reform. For this reason, we are following the legal developments around international data transfer compliance measures very closely, and take every measure available to us to ensure a compliant international transfer of EU data subjects’ personal data. This also means that we have built redundancies into our data transfer compliance program to the fullest extent possible and are looking to expand these with the tools available to Stripe under the GDPR.
The most referenced consequence of non-compliance with the GDPR is the maximum fine that can be levied against a non-compliant organization. The maximum fine that may be levied is 4% of global revenue or 20 million EUR, whichever is higher. Certain other types of infringements carry a maximum fine of 2% of global revenue, or 10 million EUR, whichever is higher.
Less frequently referenced are the data protection authorities’ (“DPAs’ ”) powers under Art. 58 of the GDPR. These powers include the ability for the DPAs to impose corrective actions, such as a temporary or definitive limitation on data processing activities, including a complete ban on data processing, or to order the suspension of data flows to a recipient in a third country.