I have a confession to make, one that is difficult to fess up to on the US side of the pond: I love the GDPR.
There, I said it. . .
In the United States, a common refrain about GDPR is that it is unreasonable, unworkable, an insane piece of legislation that doesn’t understand how the Internet works, and a dinosaur romping around in the Digital Age.
But the GDPR isn’t designed to be followed as precisely as one would build a rocket ship. It’s an aspirational law. Although perfect compliance isn’t likely, the practical goal of the GDPR is for organizations to try hard, to get as much of the way there as possible.
The GDPR is the most profound privacy law of our generation. Of course, it’s not perfect, but it has more packed into it than any other privacy law I’ve seen. The GDPR is quite majestic in its scope and ambition. Rather than shy away from tough issues, rather than tiptoe cautiously, the GDPR tackles nearly everything.
Here are 10 reasons why I love the GDPR:
(1) Omnibus and Comprehensive
Unlike the law in the US, which is sectoral (each law focuses on specific economic sectors), the GDPR is omnibus – it sets a baseline of privacy protections for all personal data.
This baseline is important. In the US, protection depends upon not just the type of data but the entities that hold it. For example, HIPAA doesn’t protect all health data, only health data created or maintained by specific types of entities. Health data people share with a health app, for example, might not be protected at all by HIPAA. This is quite confusing to individuals. In the EU, the baseline protections ensure that nothing falls through the cracks.
This cartoon focuses on the lawful processing requirement. Under the EU’s General Data Protection Regulation G(DPR), the collection and processing of personal data must be for “specified, explicit and legitimate purposes.” This is in contrast to the United States where the processing of personal information is permitted unless a law forbids it.
Under the GDPR, data processing must be “lawful” – it must be justified by a legitimate purpose in order to be permissible. Article 6 of the GDPR sets forth the grounds for the lawfulness of processing personal data. These grounds include the consent of the data subject, when processing is necessary to perform a contract where the data subject is a party, when processing is necessary to comply with a legal obligation, when processing is necessary to protect a person’s vital interests, or when processing is necessary to perform a task carried out in the public interest. The final ground for lawful processing is when processing is necessary for the “legitimate interests” of a data controller or third party.
It is far from clear that there are legitimate interests in the cartoon above. Organizations often think that “legitimate interests” mean any interests that are important to their business, but that’s not the case. This ground for lawful processing is much narrower. And, legitimate interests must not be overridden by the data subject’s interests or rights.
The EDPB (European Data Protection Board) was created by the EU Data Protection Directive in 1996. Its purpose is to provide advice, opinions, and guidance about data protection. The EDPB (European Data Protection Board) is composed of a representative from each EU member state.
Below are some of the most important guidelines to be issued by the EDPB (European Data Protection Board) about the General Data Protection Regulation (GDPR).
The Article 29 Working Party was created by the EU Data Protection Directive in 1996. Its purpose is to provide advice, opinions, and guidance about data protection. The Article 29 Working Party is composed of a representative from each EU member state. The General Data Protection Regulation (GDPR) will replace the Working Party with the European Data Protection Board (EDPB).
Below are some of the most important guidelines to be issued by the Article 29 Working Party (WP29) about the General Data Protection Regulation (GDPR).
This cartoon depicts the challenges of complying with GDPR’s requirements for vendor management. Under the GDPR, there are serious responsibilities when using a vendor to process personal data. Broadly, there are three things that data controllers must do:
1. Data controllers must perform due diligence in selecting vendors and that are complaint with GDPR.
2. Data controllers must have a contract with their vendors that includes certain provisions to ensure that GDPR is being followed.
3. Data controllers must monitor vendors for compliance.