General Data Protection Regulation (GDPR)

With the General Data Protection Regulation now in effect, we at Mapline want to make sure you are prepared with the some resources and information to help you with the new legislation. This article is designed to educate our customers with general GDPR information, items to keep in mind for your own business, how Mapline is responding, and some GDPR FAQs. Most of the work we have been doing for GDPR compliance is internal and does not directly impact our customers. We stand by the new legislation and its emphasis on strong data privacy protections and security principles. We have been working with our legal team, outside counsel, and privacy consultants to review and amend our processes where needed. This article’s purpose is to be an informational guide and should not be considered legal advice. Whether or not the GDPR affects you, and how, is something you should seek counsel for.

What is the GDPR?

At its core, GDPR is a new set of rules intended to give EU citizens more control over their personal data. The regulation also expands the scope of what companies must consider personal data, and it requires them to closely track the data they’ve stored on EU residents. In essence, it seeks to bring more transparency to people about what data organizations collect about them, and what those organizations use it for, as well as enabling people to prevent unnecessary data collection.

What is Personal Data?

The GDPR’s definition of personal data is now also much broader than previous definitions. Article 4 states that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”. We recommend reading Article 4(1) in the GDPR in its entirety for a comprehensive list of what the GDPR considers personal data. Beyond what we typically consider personally identifiable information (PII) (such as name, birthdate, email address, etc.), “personal data” can now include online identifiers such as IP addresses and mobile device IDs or even things like race, health data, and religion (see “special categories of personal data” in the GDPR).

Key Principles of the GDPR

1. Lawfulness, fairness and transparency – When data is collected, it must be clear as to why that data is being collected and how the data will be used. It should not be used in any way that a person would not reasonably expect. Organizations also must be willing to provide details surrounding the data processing when requested by the data subject.
2. Purpose limitation – Organizations must specify why they need the personal data when they collect it and it needs to be a lawful and legitimate purpose. Personal data should only be collected to fulfill that specific purpose and not further used in a manner that is incompatible with those purposes.
3. Data minimization – No more than the minimum amount of data should be kept for specific processing, ensuring the data an organization captures is adequate, relevant and limited.
4. Accuracy – Data controllers holding personal data need to make sure information is being kept up-to-date and accurate.
5. Storage Limitation – Organizations should limit how the data is stored and moved, how long the data is stored, and understand how the data subject could be identified if the data records were to be breached. Personal data no longer required should be removed.
6. Confidential and secure – Organizations should ensure that appropriate security measures are in place to protect the personal data and that the measures are proportionate to the risks and rights of individual data subjects.
7. Accountability – Organizations must be able to demonstrate that they have taken necessary steps comparable to the risk their data subjects face. Also, EU citizens have the right to access their own personal data, request a copy of their data, or request that their data be updated and deleted.

Mapline’s GDPR Readiness Program

Mapline is undertaking many steps to ensure it is GDPR compliant. Some of these steps include:

• Vendor agreements review: Putting GDPR-compliant terms in place with vendors and service providers who process GDPR personal data on our behalf.
• Data Inventory: Creating a data map which reflects personal data holdings as required by GDPR, as well policies and procedures to facilitate the security of those holdings. By monitoring and actively updating this inventory, we can track all the ways users’ data is being collected and stored.
• Process updates: Utilizing Data Privacy Impact Assessments (DPIAs) to inspect all elements and determine the efficacy and safety of each tool we leverage as our processes are further improved to ensure continual compliance with GDPR. This will include implementing changes focusing on access controls, account and record deletion, security, storage, and audits.
• Internal Teams: Establishing a team responsible for managing and maintaining data privacy and information security moving forward. They will be providing data privacy training for all individuals involved in the handling of personal data.
• Privacy Policy updates: Updating our Privacy and Cookie Notices to ensure transparency with our customers.

GDPR FAQs:

What is the difference between a data processor and a data controller?

A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. It is possible to be both a data processor and a data controller. Many organizations that are data processors of some personal data are also data controllers of other personal data. When you input data into your Mapline account, you are acting as the data controller and Mapline is the data processor.

What are the penalties for non-compliance?

Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.

What about Data Subjects under the age of 16?

Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.

How does the GDPR affect policy surrounding data breaches?

Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.

Do EU data subjects have an absolute right to have their personal data deleted upon request?

This is often referred to as “the right to be forgotten,” but it is not an absolute right. It only applies in certain circumstances and is subject to limitations. This right will not apply, for example, if further processing is required in order to comply with a legal obligation.