With the General Data Protection Regulation now in effect, we at Mapline want to make sure you are prepared with the some resources and information to help you with the new legislation. This article is designed to educate our customers with general GDPR information, items to keep in mind for your own business, how Mapline is responding, and some GDPR FAQs. Most of the work we have been doing for GDPR compliance is internal and does not directly impact our customers. We stand by the new legislation and its emphasis on strong data privacy protections and security principles. We have been working with our legal team, outside counsel, and privacy consultants to review and amend our processes where needed. This article’s purpose is to be an informational guide and should not be considered legal advice. Whether or not the GDPR affects you, and how, is something you should seek counsel for.
At its core, GDPR is a new set of rules intended to give EU citizens more control over their personal data. The regulation also expands the scope of what companies must consider personal data, and it requires them to closely track the data they’ve stored on EU residents. In essence, it seeks to bring more transparency to people about what data organizations collect about them, and what those organizations use it for, as well as enabling people to prevent unnecessary data collection.
The GDPR’s definition of personal data is now also much broader than previous definitions. Article 4 states that “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)”. We recommend reading Article 4(1) in the GDPR in its entirety for a comprehensive list of what the GDPR considers personal data. Beyond what we typically consider personally identifiable information (PII) (such as name, birthdate, email address, etc.), “personal data” can now include online identifiers such as IP addresses and mobile device IDs or even things like race, health data, and religion (see “special categories of personal data” in the GDPR).
Mapline is undertaking many steps to ensure it is GDPR compliant. Some of these steps include:
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller. It is possible to be both a data processor and a data controller. Many organizations that are data processors of some personal data are also data controllers of other personal data. When you input data into your Mapline account, you are acting as the data controller and Mapline is the data processor.
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 Million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.
Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.
This is often referred to as “the right to be forgotten,” but it is not an absolute right. It only applies in certain circumstances and is subject to limitations. This right will not apply, for example, if further processing is required in order to comply with a legal obligation.