As of May 25, 2018, every organization that records personal data about one or more European individuals needs to comply with the General Data Protection Regulation, or GDPR. This goes for any database location or type of information carrier, so smart robots and artificial intelligence systems must also comply.
GDPR covers personal data about any type of business relationship. This includes employees, suppliers, customers, advisers, and social relations.
The strict rules will apply to businesses anywhere in the world that have had or now have relationships with people residing in any of the European Union’s 27 member states.
GDPR’s basic premise is that organizations must adequately protect personal data and that the individuals involved must give explicit permission for data storage and usage.
Main restrictions around personal data
- Individuals must give clear, explicit prior permission for personal data storage and usage
- Data storage must be functional; this functionality must be explained to the individual prior to storage
- Individuals have the right to view what data are stored and how
- Individuals are entitled to have the storage of data changed so that they can’t be linked to him or her anymore
- Individuals have the right to demand their personal data is removed
- The organization storing data must have data protection policies and procedures
- Organizations are required to publicize any data leaks
Storage functionality: The data-storing entity must explain why storage is necessary within the relationship’s framework. If deemed insufficient by the individual, they may require data removal.
Permission: Permission must be given explicitly and prior to personal data storage.
Data-storing entities must clearly explain the purpose of the data storage, where and how long they will be stored, and who will have access.
This explanation can no longer be hidden in the small print or pages-long terms and conditions. Companies are required to use concise, transparent, and simple language to explain data storage rationale.
Forms can no longer appear with pre-checked phrases, such as, “Yes, keep me informed about new products.” Such checks must be done by the individuals involved.
Unless companies can prove that the individual has already given explicit permission based on GDPR’s conditions, renewed explicit permission must be obtained from the individual in question. This goes for all types of existing relationships, including recipients of newsletters, product mailings etc.
If such permission is not obtained, then the individual’s personal data must be removed.
Minors’ personal data may only be stored and used after explicit prior permission from their parents.
Online shops are allowed to store data needed for purchased items’ shipping without prior, explicit permission. Other uses of these data, for example for marketing purposes, do require permission.
Data no-nos: Certain types of personal data may no longer be asked from individuals: race/ethnicity, political opinions, religion, biometric and medical information, and sexual orientation or behavior.
GDPR makes an exception for personal data that users have published themselves, such as someone’s religion on Instagram or sexual orientation on Facebook.
Right to review and removal: Data-storing entities are required to send their relations a digital copy of their stored data no later than one month after such a request is received. Requests for personal data to be changed or removed must be honored.
Every individual has the “right to be forgotten.” For example, people should have control over negative or embarrassing information can be found on social media, according to GDPR.
In certain cases, companies don’t have to comply. A negative news story that includes people’s names won’t have to be removed if it’s factually correct. Other data made public that’s deemed irrelevant or an undue invasion of privacy, such as a person’s address or the name of the school their children attend, is not covered by the factual correctness protection.
Images of and information about minors must always be removed upon request.
Data policy and procedures: For many companies, GDPR requires a drastic rethink of their data policies and procedures.
GDPR forces data-storing organization to respond to European residents’ data requests within one month and make the process as easy as possible.
Multinational corporations will need an approach to identify, tag, and catalog personal data and its lineage. The new rules require the following questions to be asked:
- What data sources are used?
- What criteria are used for data identification and selection?
- Where, how and by whom are GDPR-protected data initially recorded?
- How are these data used and distributed? Who manages this and how?
- What access conditions are in place, and how are they enforced and evaluated?
- What procedures are in place for data mutations?
- How are data abuses and leaks managed and by whom?
Data leak reporting
Data leaks often go unreported or under-reported because of reputational and liability concerns. GDPR requires companies to have a data-leak protocol, outlining investigating and reporting procedures and responsibilities. It also states that data leaks must be reported in a timely manner.
GDRP requires that each organization designate someone within its top management and governance structures to be responsible for personal data and privacy.
Larger organizations will need to appoint three officials. This may or may not be separate from other job functions these employees carry out.
CISO (chief information security officer): Advises the board and takes responsibility for formulating policy and safeguarding digital and physical information. The CISO reports directly to the board to maintain autonomy within the organization.
CIO (chief information officer): GDRP doesn’t require major changes in how most companies use their CIOs.
PO (privacy officer): This official monitors compliance with GDRP and other EU regulations governing data protection.
Smaller organizations can — and need to — hire external specialists in lieu of the three job functions mentioned above.
EU stock exchange-listed companies and public agencies must include an information security section in their annual reports, describing their policies and procedures and their execution.
Consequences for robotics businesses
Every organization involved in robotics and AI would do well to identify any links they have with European individuals — even one newsletter subscriber counts — and review their data protocols.
With more and more robots capturing and storing personal data, being proactive is advisable. Very few robotics companies anywhere in the world will be left untouched by GDRP.
Initial reactions mixed to negative
Some of the initial reactions to GDPR’s provisions from analysts and corporations has been negative.
“According to Article 83 of GDPR, a national privacy authority can fine to a maximum of €20 million [$24.37 million], or 4% of the worldwide turnover — whichever is higher,” noted attorney Stephan Mulders.
“With the consequences so high and the rules [so] complex, GDPR has definitely kept me up at night,” said Karen Walker, chief marketing officer at Cisco. “We have invested heavily in technology to provide better and more personalized experiences to our customers and prospects and rely on personal data to provide that.”
Others have said the rules aren’t clear or strong enough. “Austria decided to abstain during the final vote on the GDPR in the council due to weaknesses in certain areas of user protection,” said Estelle Massé, a senior policy analyst at Accessnow.
Regarding Article 6, which covers lawlessness of processing, a staffer at the Information Commissioner’s Office said, “this part of the regulation is a confusing conflation of legal bases for processing personal data and purpose limitation. The two elements of the law must be kept separate as far as is possible.”
“It will be difficult for an organization to evaluate whether or not its legitimate interests override those of the individual, and whether or not, therefore, the incompatible processing is permitted,” said the official, who declined to be identified. “Supervisory authorities would find this just as difficult to evaluate.”
GDPR should give the Dutch privacy authority more power to levy enforcement fines, said Aleid Wolfsen, chairman of National Privacy Authority — Netherlands.
“Two things will happen: Fines will go up, and the bar to hand them out will go down,” Wolfsen said. “Under the GDPR, we can fine companies when they don’t take proper precautions to safeguard data, so intent is no longer the deciding factor like it is now.”
The U.S. and U.K. watch the EU
“GDPR will hand a huge advantage to big American tech companies by making the Web unsurfable in Europe,” said Jeff Smith in Business Insider. “It will require tech companies to get consent from any user for any information they gather on you and for every cookie they drop, each time they use them. It will turn the Web into a mass of click-to-consent forms.”
The so-called Brexit will not affect the U.K.’s adherence to GDPR.
“GDPR will become the law in the U.K., but once the U.K. departs from the EU’s jurisdiction, we will need a piece of legislation that mirrors GDPR carefully, so as to leverage the fact that GDPR was already put in place,” said Trevor Hughes, president and CEO of the International Association of Privacy Professionals. “[GDPR] also allows for the greatest amount of harmonization between European data trading partners and the U.K.