Briefly

TRANSCRIPT

00:00
Adam Stofsky
Hey Shannon, how are you today? Good.

00:12
Shannon Yavorsky
Adam, how's it going?

00:14
Adam Stofsky
Good. Today we're going to talk about the GDPR. This feels like a big, a pretty big topic. So can you just start off by telling us what is the GDPR and why is it considered such an important privacy law?

00:28
Shannon Yavorsky
Yeah. Great. The GDPR is one of my favorite topics. It's the General Data Protection Regulation and it's the European Union's Comprehensive Data Protection law that took effect in 2018. And it really, it sets out rules for how organizations collect, use, store and share personal data. And importantly, it applies not just to companies in the eu, but to organizations that process personal data of people based in the eu. And one of the reasons it's so important, beyond the fact that the stakes are really high, because the fines are really high under the gdpr, is it gives individuals more control over personal data and holds organizations accountable in a way that wasn't the case before the gdpr. So it really set a new global benchmark for privacy law. It influenced privacy legislation across the U.S. in California, for example, Brazil and many other places.

01:38
Shannon Yavorsky
And like I said, the stakes are really high. The non compliance can lead to fines up to 4% of annual worldwide turnover or 20 million euros, whichever is higher.

01:51
Adam Stofsky
Wow. So you really do want to comply with the gdpr. What does the law actually require? What does it actually require companies to do or not to do? In broad strokes?

02:04
Shannon Yavorsky
In broad strokes, there's a lot of different nuanced compliance obligations. But the first point is that companies are have to process data lawfully, fairly and transparently. They have to minimize the data that they collect. They have to keep it accurate, secure it safely, properly, and not hold it for longer than is necessary. Beyond that, organizations, some organizations might have an obligation to appoint a data protection officer, conduct data protection impact assessments for high risk processing, and have certain safeguards in place for transferring data outside of Europe. And critically, and I think we're going to talk about this a little bit more, they have to be ready to respond to individuals who exercise this kind of new set of rights provided to individuals under the gdpr.

03:03
Adam Stofsky
Okay, so let's, we'll get to individual rights in a minute. But, but first, can you talk about a more fundamental question of when companies are allowed to collect data at all? Can you kind of collect data for any reason under the gdpr? Are there limits? How does the law think about that?

03:20
Shannon Yavorsky
Yeah, I love this question because it's a real term of art. Under the gdpr, you have to establish what's called A lawful basis of processing. So the GDPR says you can't process personal data unless you have a lawful basis. There are six different options that you can pick. Consent, contractual necessity, compliance with the legal obligation, protection of vital interest. That doesn't come up very often. Public interest or legitimate interest. So any data processing activity has to map back to one of those six lawful bases. For example, using customer data to fulfill an online purchase is a contractual necessity. Sending marketing emails might require consent, depending on the country. So that's sort of a high level overview of the six reasons you're allowed to process data.

04:18
Adam Stofsky
I find that interesting because it didn't need to be that way. Right. I know that some laws rely entirely on consent. Right. You can't. Company can't collect data unless the subject of the data agrees to it. But the GDPR has this pretty big list actually of lawful bases. I think that's interesting.

04:40
Shannon Yavorsky
Yeah, and different from other, you know, other countries in the US before. I mean, now there's a sort of consent regime for different reasons. But a lot of it was just, you have to, was transparency was really you just as long as you're telling people in a notice what you're going to do, you didn't have to establish a kind of lawful basis of processing. So it was, it's kind of a new formulation.

05:05
Adam Stofsky
Okay, well that's a good segue into transparency and privacy notices. So how does the GDPR treat this idea of transparency?

05:15
Shannon Yavorsky
You know, that's another term, that's a real term of art in privacy. And I, I forget that people aren't aware that transparency is this concept. It's a therapist principle that people should always understand what's happening to their data. And it means that companies have to give clear, accessible information, typically through privacy notices about why they collect data, how they use it, who they share it with and how long they keep it. The idea is that individuals should never feel in the dark about how data is being handled by a company. That's the transparency principle.

05:55
Adam Stofsky
So that relates directly to this idea of individual rights. So what rights does the GDPR grant to individuals? Rights with respect to their own data?

06:07
Shannon Yavorsky
Yeah, it's a great question. Individuals have a new kind of suite of rights under the GDPR which include the right to access data. So you get to, you know, have access to the data that an organization holds about you, the right to correct data if it's inaccurate. So somebody has your wrong address, phone number, birth date, the right to be forgotten. So the right to have a company Delete your data. The right to restrict or object to processing. The right to data portability, which allows people notionally to move data between different providers. And then there are rights around automated decision making which sort of weighs in on AI, including profiling. So you have to be told and in some circumstances be given the opportunity to opt out of automated decision making.

07:03
Shannon Yavorsky
And organizations, you know, have to provide notice to people about the fact that these rights are available and then they have to be able to respond to these requests within, you know, depending within a pretty short period of time. So give people access to data, correct their data, etc.

07:23
Adam Stofsky
How do the GDPR regulators. Well, let me start with a threshold question. Who are the regulators? Who enforces all of this?

07:34
Shannon Yavorsky
Great question. So in Europe, in each member state there is a supervisory authority that is primarily charged with regulating data protection legislation in that country. As an example, in France it's called the Canal. In Ireland it's the data, the Irish dpc, the Data Protection Commissioner. In the uk, which is no longer part of the EU, but has its own special UK gdpr, it's called the ico, the Information Commissioner's Office. So effectively one regulator per member state.

08:11
Adam Stofsky
Okay, so final big question here. Tell us about accountability. How do these regulators ensure that companies are actually following this? How do they know?

08:22
Shannon Yavorsky
Really good question. So sometimes it's individual complaints, sometimes the regulators signal that they have specific enforcement focus for a particular year. They might be interested in seeing how companies are complying with children's data, for example. And then separately there are these privacy activist organizations like noyb, run by Max Schrems that initiates sort of actions that develop into investigations by different regulators.

08:59
Adam Stofsky
Great, interesting. Okay then my last question for now for this quick overview is I run a US based company with why do I, why is everyone talking about this European law? Like why do I have to worry about this?

09:13
Shannon Yavorsky
Also great question, because a lot of companies don't realize they are subject to the gdpr. Or alternatively we have clients who are not subject to the gdpr. The GDPR applies and this is really important, three scenarios. Number one, you have boots on the ground in Europe, meaning you have an office, agency, branch or what's called another stable arrangement that triggers the application of the gdpr. GDPR applies to you if you're in Europe. Number two, you don't have boots on the ground in Europe, but you're monitoring the behavior of individuals in the eu. So think about profiling. This often comes up in the context of ad tech or it comes up in a lot in clinical trial data and then third limb of gdpr, no boots on the ground in Europe, but you're offering goods or services to individuals in Europe.

10:12
Shannon Yavorsky
And so the way in which you assess whether you're offering goods or services to individuals in Europe, the regulator will look at a number of different features. Do you have a country code, top level domain for Europe, so a ie FR domain name which would sort of show that you're intending to reach out to people in Europe. Is your website in a European language? Do you offer a European phone number, contact details as another example? So they'll look at the totality of circumstances to see if there's an intention for you to target people within Europe and that's the sort of third limb of GDPR applicability.

10:57
Adam Stofsky
Great. Well, Shannon, thank you so much for that overview of the GDPR in just about 10 minutes. We really appreciate it.

11:05
Shannon Yavorsky
Thanks, Adam.