What you should know about GDPR, and why it matters to Lebanon?
3 December 2018, Bachir El Nakib (CAMS), Senior Consultant, Compliance Alert LLC (Qatar- Lebanon)
GDPR: Four letters that put fear into firms hearts in 2018. Data Protection has never had a higher profile. If dicionaries awarded an acronym of the year as well a word, we'd put our money on it being GDPR.
At the start pf 2018, these four letters generally only signaled you were about to get a very smelly sales pitch, an annoying email or a "computer sez no" style excuse. But as the year progressed, a data harvesting scandal brewed and breach after breach hit the headlines, the EU's General Data Protection Regulation came into its own.
May 25 2018 is when the European Union's new privacy law, dubbed GDPR, comes into effect. What does this law change for web site owners and what steps should you take? We have summarized what you need to know, and what we should work together on in the upcoming days.
What is the GDPR?
The General Data Protection Act (GDPR) is considered to be the most significant piece of European data protection legislation to be introduced in the European Union (EU) in 20 years and will replace the 1995 Data Protection Directive.
The GDPR regulates the processing of personal data about individuals in the European Union including its collection, storage, transfer or use. Importantly, under the GDPR, the concept of “personal data” is very broad and covers any information relating to an identified or identifiable individual (also called a “data subject”).
It gives data subjects more rights and control over their data by regulating how companies should handle and store the personal data they collect. The GDPR also raises the stakes for compliance by increasing enforcement and imposing greater fines should the provisions of the GDPR be breached.
The GDPR enhances EU individuals’ privacy rights and places significantly enhanced obligations on organizations handling data.
In summary, here are some of the key changes to come into effect with the upcoming GDPR:
- Expanded rights for individuals: The GDPR provides expanded rights for individuals in the European Union by granting them, among other things, the right to be forgotten and the right to request a copy of any personal data stored in their regard.
- Compliance obligations: The GDPR requires organizations to implement appropriate policies and security protocols, conduct privacy impact assessments, keep detailed records on data activities and enter into written agreements with vendors.
- Data breach notification and security: The GDPR requires organizations to report certain data breaches to data protection authorities, and under certain circumstances, to the affected data subjects. The GDPR also places additional security requirements on organizations.
- New requirements for profiling and monitoring: The GDPR places additional obligations on organizations engaged in profiling or monitoring behavior of EU individuals.
- Increased enforcement: Under the GDPR, authorities can fine organizations up to the greater of €20 million or 4% of a company’s annual global revenue, based on the seriousness of the breach and damages incurred. Also, the GDPR provides a central point of enforcement for organizations with operations in multiple EU member states by requiring companies to work with a lead supervisory authority for cross-border data protection issues.
USER CONSENT IS REQUIRED
Typically to see cookie popups on web site with an "OK" to simply dismiss the message. Cookies were being placed on users' browsers without asking them first. This is EU Cookie Law dating back to 1995. Today, this is no longer the case. Here's a quick list of key things to note regarding user consent:
1. Consent must now be clear, affirmative, and unambiguous.
2. Consent must be given separately. and not combined with terms of conditions.
3. Consent should not be a pre-condition to using a service (meaning you must continue to allow users to use your service without consenting).
4. You should not pre-tick approval boxes.
5. Granular controls must given to the user to choose if they allow different categories of cookies. For example, only allow analytics and block marketing.
USER'S PRIVACY RIGHTS HAVE EXPANDED
If you have collected personal information about a user, they have new rights under GDPR:
1. A user should be given the possibility to withdraw consent at any time.
2. A user may has the right to be forgotten, where we should delete their personal information or anonymize it.
3. A user should be able to request a copy of all their personal information stored in your system.
This law applies to all EU citizens and residents of the EEA (European Economic Area). Therefore, we are technically obliged to present consent forms to all users. If a user does not say that they are an EU citizen, we might violate GDPR without knowing.
WHAT SHOULD YOU DO?
Starting May 25, 2018, you are required to request such consent from users. Since most ad providers automatically track users, and have not yet implemented or announced their intentions to comply with GDPR, you should be presenting the consent form before allowing any advertisements to appear. This includes other third-party tracking and analytics tools too, such as Google Analytics, Effective Measure, and Chartbeat. For Google Analytics, compliance steps differ in case you have enabled marketing and advertising tracking in your Data Collection settings in Google Analytics. With the continuous digitization of human life and economy, questions around the ownership and privacy of our personal information need urgent attention. From June, it will be crucial for Lebanese companies to understand the implications of new European regulations on the ownership and limits to exploitation of personal information, which came into force at the end of May.
As of May 25, two years after the adoption of the General Data Protection Regulations (GDPR) by the European Union, organizations who are registered in the EU, or selling products and services to EU residents, have to apply GDPR. This can range from large international manufacturers and online retailers, to small enterprises and commercial bloggers. But many in Lebanon assume that this new regulation will not affect them.
This could be mistake, and a costly one, for companies that offer products or services online that are purchasable by EU residents. All local companies with a strong digital presence outside Lebanon should determine whether they need to initiate compliance with GDPR.
GDPR is a landmark European Union regulation that prescribes the rules and regulations for the collection, processing, use, storage, and destruction of the personal information of EU residents. The main aim of this piece of legislation is to protect consumers by giving them greater control over their personal data that is transmitted via the internet, and to compel businesses to be more accountable and transparent in their use of customers’ personal data.
As an EU regulation, GDPR is not a priori applicable outside of the bloc, however, one of the considerable changes introduced by GDPR is in its extraterritorial scope, which allows it to reach non-EU organizations performing transactions with EU residents. Under article 3 of the GDPR, a company may still have to abide by its rules even if it is incorporated outside of the EU and has no physical presence within the EU.
Compliance with GDPR is thus required of companies anywhere, as long as their activities entail the offering of goods or services to European residents, the processing of data from such persons, or the monitoring of users’ behavior that takes place in the EU. GDPR will likely apply to a Lebanese business even if it has no employees or offices within the EU, but is selling a product or service to EU residents, or even simply offering to sell, irrespective of whether a payment is made or not. Likewise, abiding by GDPR is a necessity for any Lebanese company that monitors the behavior of European residents, for example, if it processes information about consumers in an EU country to predict their behavior, or does surveys on the behavior of EU residents. In addition, GDPR is applicable to a Lebanese company if it has EU-based employees and is processing information related to these employees.
GDPR would not apply if the Lebanese company is undertaking regular marketing of goods and/or services. This means that if the company has a website offering goods and/or services but does not have a physical presence in the EU and shows no indication of targeting any EU residents, it is not required to comply with GDPR rules simply on the basis that an EU resident can somehow stumble upon its website—what this means in practice will emerge over time.
However, the GDPR likely will apply to a company, irrespective of its country of incorporation, if its website targets EU residents, if it accepts the currency of an EU country, has a domain suffix for an EU country, offers shipping services to an EU country, or provides information in a language that is predominantly spoken in an EU country such as Italian, French, and German.
Violating the GDPR and failing to report any infraction of personal data rights of EU residents can result in hefty fines; in serious cases, regulators can penalize businesses 20 million euros, or up to 4 percent of their previous year’s worldwide turnover, whichever is higher. For smaller infringements to the GDPR, regulators can impose fines amounting to 10 million euros, or up to 2 percent of the companies’ worldwide turnover, again, whichever is higher.
Lebanese companies, thus, would benefit from informing themselves about the provisions and requirements that are coming into force with the GDPR. If uncertain as to whether GDPR applies to a Lebanese business, it may be a good idea to contact an auditing or consulting firm with expertise in doing business in Europe, or approach a specialized adviser to make sure that its privacy initiatives are in order. This will not only avoid legal proceedings and painful fines, but also express a will to protect fundamental rights and freedoms of individuals, and in particular, the right of consumers to the protection of personal data.
Basically, the GDPR sets new rules for how companies collect, use, and store individuals’ data.
So if you’re getting those emails now, it’s because you’ve dealt with any of these companies or their subsidiaries before. You may not remember giving these companies access to your personal data; in fact that only proves why the GDPR is such good news.
Wait, so how is this good news?
The main aim of the GDPR is to guarantee the privacy and safety of your data, and hold companies accountable for how they collect, use, save, retain and destroy your data. Under the GDPR you are now guaranteed these rights:
-Right to Access means companies are bound to improve transparency and should inform you about the collection and use of your personal data.
Remember those emails you’ve been getting? A large part of them is related to this right (basically, companies are telling you they have your data).
-Data Portability allows you to instruct a company that holds your data to send it elsewhere based on your requirements. For example, if you switch phone networks, you can have your previous provider switch all your data to your new provider, so you no longer have to change your number.
-Data Erasure, also known as the “right to be forgotten,” allows you to request company to erase your personal data completely (except in certain circumstances related to public interest, for example national health statistics).
-Breach Notification is now an obligation, meaning companies should report about potentially harmful data breaches within a maximum of 72 hours.
Companies are now only allowed to obtain “sensitive personal data” with the clear and explicit consent of their customers. They are required to hold this data separately, anonymously, and extra securely. Personal data in general refers to your name, address, phone number, email address, IP address, or even your location. “Sensitive personal data” includes things like your religious beliefs, political views, health data, sexual orientation, criminal convictions, biometric data; etc.
In short, companies are now held to higher standards of individual data privacy and protection. Any serious breach of these regulations can result in fines of up to €20 million or 4% percent of a company’s global turnover, whichever is higher.
For more details about the GDPR, visit the EU Commission’s official site: 2018 reform of EU data protection rules
Here’s a high-level overview of our GDPR Compliance Roadmap:
• Appoint a Data Protection Officer – COMPLETED
• Thoroughly research the areas of our product and business impacted by GDPR – COMPLETED
• Rewrite our Data Protection Agreement – COMPLETED
• Develop a strategy and guidelines for how to address the areas of our product impacted by GDPR – COMPLETED
• Perform the necessary changes/improvements to our product based on the requirements – COMPLETED
• Implement the required changes to our internal processes and procedures required to achieve and maintain compliance with GDPR – COMPLETED
• Thoroughly test all of changes to verify & validate compliance with GDPR – COMPLETED
• Communicate our compliance – COMPLETED
Lebanon Central Bank Governor Instructions addressed to Banks and Financial Institutions Number 146 (13/09/2018) stated:
Article 1: Without prejudice to the mandatory laws and regulations applicable in Lebanon, banks and financial institutions operating in Lebanon and all other institutions regulated by Banque du Liban are, as far as each is concerned, required to:
1- Take the appropriate measures in line with the provisions of the General Data Protection Regulation (GDPR) promulgated by the European Parliament and the Council of the European Union on 27 April 2016.
2- Notify the Compliance Unit at Banque du Liban and the Banking Control Commission, by 31 December 2018, of the procedures and measures, where applicable, they take in line with the GDPR, specifically with regards to:
- The appointment of a Data Protection Officer from within the Compliance Unit, and of a Representative to the European Union.
- The amendment of the Compliance Program provided for in Article 10, Paragraph (d5) of Basic Decision No 11323 of 12 January 2013 relating to the Establishment of a Compliance Department, in line with the relevant procedures taken in this regard.
Article 2: External auditors shall verify the compliance of banks, financial institutions and all other abovementioned institutions with the provisions of this Decision. They shall insert in their annual reports information detailing the verification process of the measures adopted, along with their audit results and relevant observations.
Article 3: This Decision shall come into force upon its issuance.
Article 4: This Decision shall be published in the Official Gazette.