What? General Data Protection Regulation (GDPR)
When? 25th May, 2018 (Adopted by European Parliament in April, 2016)
By? EU’s Article 29 Working Party (and replaced under GDPR by the European Data Protection Board (EDPB))
Applies to whom? Controllers and processors of personal data collected within the EU (effectively the world)
Replaces what? Data Protection Directive (Directive 95/46/EC)
The General Data Protection Regulation (GDPR) has the aim of enabling EU residents to control their personal data in response to new advances in technology and data capabilities, hereby protecting the individual’s fundamental right to privacy under the Code of EU Online Rights (Chapter 4) as well as the Lisbon Treaty. GDPR further looks to simplify regulatory proceedings for international businesses.
Considering that the full document is 204 pages, bobsguide has summarised the key points into a handy article. Here are 10 important considerations.
A move to harmonizing data protection regulation
Whilst GDPR is an EU enforced regulation, GDPR will still apply whenever an EU resident’s personal data is processed and/or when EU residents are profiled (behaviour monitoring). Effectively, this encompasses any and (most likely) all global companies with shares in EU markets. GDPR also covers any companies processing EU resident data abroad.
Furthermore, for those reading in the UK, the government has confirmed that GDPR will still apply to the UK following Brexit.
Definition of personal data widened from DPA
GDPR extends the definition of personal data than outlined in DPA, largely to include new types of personal data. This categorises a range of identifiers as personal data, from the online identifier of IP addresses, to more “sensitive data” of genetic, mental, cultural and economic data that may be attributed to an individual. GDPR further makes provisions to include pseudonyms as personal data, depending on how clear the route is to identifying a particular individual.
Data Protection Officer (DPO) and Data Protection Impact Assessments (DPIAs) mandatory
Constant monitoring of large scale data within a company necessitate, under GDPR, that they appoint a data protection officer. GDPR places the onus on data handling and thus, cannot exclude small companies that may handle vast amounts of data. Having said that, a single DPO may act for a group of organisations.
Another aspect to improve accountability and monitoring is the enforcement of Data Protection Impact Assessments. GDPR requires that a DPIA be undertaken by data controllers in areas where they run a higher risk of data breaches, and then coordinate contingency plans to minimise those potential breaches.
GDPR seeks to enforce companies to prove the validity of affirmative consent to use personal data. In order to prove the validity of the consent, companies must be able to clearly outline how personal information will be used. Affirmative consent means that no consent is given until it is affirmed by the customer.
Notification of breaches
GDPR requires that data processors must report any data breaches to their data controllers who, in turn, must report it to the local data protection authority within 72 hours of discovery.
This presents a costly challenge, as many organisations will need to invest in newer, more sophisticated software.
Failure to notify can lead to an administrative fine of €10m or 2% of total worldwide annual turnover of the preceding financial year, whichever is higher.
Extended personal rights
GDPR develops a ‘right to be forgotten’ and ‘right to erasure’. Customers can now request to have their personal data permanently deleted. This also puts a limit on how long a company can hold data and not to change conditions of its use without obtaining fresh consent. The 'right to data portability’ refers to the customer’s right to copy, transfer and use their personal data to other services in a safe and reusable way.
Extends liability to processors
GDPR not only requires compliance from data controllers but also of data processors, or anyone who falls into the scope where personal data is processed.
Privacy by design
This means that companies will have to embed the privacy protection principles outlined by GDPR into any systems, processes or software. This, in effect, legally ensures that companies have made the necessary improvements in technology in order to be GDPR compliant. The capacity to permanently delete as well as notifying within 72 hours following a breach are examples of this.
This is GDPR’s get tough stance on compliance. No longer can corporations hide in permissive data protection countries and remain immune from outside action. Where a business is established in more than one member state, it will be subject to a lead authority determined by its main establishment within the EU.