A Privacy Regulation Applying in the USA and Canada (and Everywhere)

Although the General Data Protection Regulation (GDPR)* was passed more than three years ago and entered force more than one year ago, there is still confusion and misconception about the regulation’s sphere of impact.

In a new series of posts, I will share some advice** drawn from experience in projects that I have conducted since the inception of the regulation, but also include updated guidelines that the European Data Protection Board (EDPB) recently published*** regarding the regulation’s territorial scope (Art.3 GDPR). To avoid amendments and editorial notes to my original post under this subject, I offer below a complete rewrite.

Although I encourage everyone to read the provisions of the GDPR as well as the above mentioned EDPB guidelines (which illustrate typical cases by example), here are the major takeaways regarding the GDPR's territorial scope:

• GDPR is a regulation to protect personal data of individuals ("data subjects") who are physically present – and may it only be temporarily - in the EEA (European Economic Area – which includes all EU member states plus Iceland, Liechtenstein and Norway). Data subjects’ protection rights are not dependent on their citizenship or residency.
• All organizations worldwide whose activities "intentionally, rather than inadvertently or incidentally, target" individuals being in the EEA are obligated to comply with the GDPR.
• Organizations established in the EEA have additional obligations: They must comply with GDPR regardless of where in the world data subjects are located.

The following matrix shows under which conditions GDPR applies:

However, in a world of international trade and high mobility of individuals, organizations can obviously not control the data subjects’ whereabouts while a business transaction takes place or thereafter. (Even data subjects’ IP addresses captured during electronic communications do not prove presence in or absence from a certain territory since individuals can legitimately – and will increasingly – hide their real geographical location by employing Virtual Private Networks.) Therefore, I recommend that organizations as of row B conduct all their activities related to processing personal data in a GDPR-compliant manner.

From a practical perspective, the above matrix can then be simplified as follows:

In conclusion, any organization offering products or services worldwide must presume, by default, that GDPR applies to them. On the complementary, non-EEA businesses whose commercial target area is outside of the EEA will be exempt from GDPR compliance.

 

* Published at https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1528874672298&uri=CELEX%3A32016R0679
** Legal disclaimer: This blog post is not intended to be legal advice, but to raise awareness that it is recommended to consult a lawyer.
*** Published at https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_after_public_consultation_en.pdf

How The GDPR Can Propel An Organization's Informational Infrastructure

I concluded a previous post "GDPR - More Than Just Another Regulation" stating that the GDPR (General Data Protection Regulation) forces organizations to prioritize a long-due overhaul of their informational infrastructure. 

In my understanding, a contemporary informational infrastructure is a system of people, processes and tools (software, hardware) that covers the five business disciplines represented in the image below whereas each level builds on the lower one(s).

Due to my observations, a vast number of organizations find themselves in the status where upper management hopes to advance level 4 and 5 to get the edge over the competition while business departments still struggle with the quality of level 3 due to a lack of foundation in level 1 and 2.

How does that relate to an organization's capability to comply with the GDPR? 

The sole purpose of the GDPR is the protection of an individual's rights as the owner of their personal data. However, since personal data are at the core of almost any business and even any business transaction, the GDPR's provisions imply a certain informational infrastructure. 

For example, GDPR grants any individual being in the EU ("data subject") a far-reaching control over their personal data records throughout the complete data life cycle with an organization, i.e. control over Create, Read, Update and Delete of their personal data (as long as it does not restrict the legitimate rights, liberties or legal obligations of other parties). 

• Create: The creation of records requires the data subject's explicit consent or is necessary to perform a contract with the data subject [Art. 6 et al.]. 
• Read: The data subject has the right at any time to know the total scope of captured and stored metadata and values related to their personal data [Art. 15 et al.] and to exclude usage of their data from certain purposes [Art. 21 et al.]. On the complementary, the organization has the obligation to restrict the access to personal data on a need-to-know basis.
• Update: The data subject has the right to rectify [Art. 16] and/or to restrict processing of their personal data [Art. 18].
• Delete: The data subject has the right "to be forgotten", i.e. their personal data to be deleted upon demand [Art. 17].

Although the provisions of the GDPR do not explicitly mention any infrastructural measures as of level 1 and 2, it is obvious that the organization can only comply with the rights of the data subject (and fulfill its own respective obligations), if the whereabouts of the data subject's personal data are completely transparent at any time, i.e. if the organization employs

• a data model of the personal data (that shows all the references and physical storages of personal data throughout the organization) [prerequisite for rectification and deletion] 
• a map that shows all the information flows of personal data (data flow diagram, process model) through the organization [prerequisite for information about the usage purposes and potential objection] 
• a functioning Master Data Management system that maintains "golden" records of personal data (or at least keeps possibly multiple records in sync) [prerequisite for rectification and deletion] 
• a functioning Data Governance system [prerequisite to comply with the GDPR in general] 

Organizations should welcome the GDPR as they will profit from these measures far beyond the purpose of complying with this regulation...

Note: This post has been updated from an earlier version written before the GDPR entered force.  

Personal Data - a Universal Definition Applying in the USA and Canada (and Everywhere)

In my previous post A Privacy Regulation Applying in the USA and Canada (and Elsewhere), I alluded to the worldwide impact of the General Data Protection Regulation (GDPR)*. In this post, I like to clarify** the GDPR’s definitional scope of personal data.

The GDPR considers data to be personal if they relate to an identified or identifiable natural person (“data subject”). Although the term “identifiable” tends to consume all the attention here, actually the term “relate” carries more weight as it widens the definition in a way that it resonates with common sense.

So while e.g. a Social Security Number, International Bank Account Number (IBAN) or passport number uniquely identify an individual and are therefore unquestionably personal data, the GDPR includes as well non-identifying attributes such as weight (at a given point in time), height or eye color to be personal data if they can be assigned to an identifiable individual.

But the term “relate” even pertains to more than a natural person’s attributes. A prominent example is a civic address register which certainly is public and does in no way constitute personal data in and by itself. However, if a register entry, e.g. “123 Main Street, Newcastle, Fantasyland”, relates to an individual “Jane Doe” whereas the relationship is “is residential address of”, that entry, by common sense and GDPR, becomes part of Jane Doe’s personal data.

You will find a more complete approach in my post GDPR & Personal Data - Context is Key and (Foreign) Key is Context underscoring that data modeling is a mandatory discipline in any medium or large organization being in need to get their head around personal data.

* Official publication of GDPR at https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1528874672298&uri=CELEX%3A32016R0679

** Legal disclaimer: This blog post is not intended to be legal advice, but to raise awareness that it is recommended to consult a lawyer.