General Data Protection Regulation (GDPR) is coming
May 5, 2018 — in Articles
When is GDPR coming into effect?
On the 14th April 2016 the EU Parliament approved the General Data Protection Regulation (GDPR). The regulation will take effect after a two-year transition period and unlike a Directive it does not require any enabling legislation to be passed by government; meaning it will be in force on the 25 May 2018. This new regulation is the biggest change in data protection law for 20 years, but what does it all mean?
Who does GDPR affect?
The GDPR will apply to the processing of personal data by controllers and processors in the EU irrespective of whether the processing takes place in the EU or not and irrespective of whether the processor or controller is established in the EU, where the activities relate to:
- offering of goods or services to EU citizens, irrespective of whether a payment from data subjects is required
- monitoring of behavior that takes place within the EU.
What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR or €20 million. This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors — meaning ‘clouds’ will not be exempt from GDPR enforcement.
What constitutes personal data?
Information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify that person. It can be anything from a name, a photo, an email address, bank details, and posts on social networking websites, medical information, or a computer IP address.
What control do Data Subjects have?
The GDPR seeks to give ‘Data Subjects’ an increased level of control over their information. It also aims to ensure that data controllers and processors are safe custodians of data through promoting behavior change. The GDPR provides enhanced supervision by increasing the powers of the regulator.
What is the difference between a data processor and a data controller?
A controller is the entity that determines the purposes, conditions and means of the processing of personal data, while the processor is an entity which processes personal data on behalf of the controller.
Do data processors need ‘explicit’ or ‘unambiguous’ data subject consent – and what is the difference?
The conditions for consent have been strengthened, as companies will no longer be able to utilize long illegible terms and conditions full of legal terminology, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent – meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.
What about data transfer mechanisms?
Safeguarding data transfer mechanisms accepted in all Member States via
- Approved codes of conduct and certifications
- Simplified procedures for binding corporate rules
- What about Data Subjects under the age of 16?
Parental consent will be required to process the personal data of children under the age of 16 for online services; member states may legislate for a lower age of consent but this will not be below the age of 13.
- What is the difference between a regulation and a directive?
A Regulation is a binding legislative act. It must be applied in its entirety across the EU, while a Directive is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to decide how. It is important to note that the GDPR is a regulation, in contrast to the previous legislation, which is a directive.
- Does my business need to appoint a Data Protection Officer (DPO)?
Appointment of a Data Protection Officer (DPO) with specific skills who will report directly to the highest levels of management will be mandatory for those controllers and processors whose core activities consist of operations requiring regular and systematic monitoring of data subjects of a large scale or of data subjects belonging to special categories inter alia criminal convictions and offences, namely in the case of:
- public authorities
- organizations that engage in large scale systematic monitoring
- organizations that engage in large scale processing of sensitive personal data (Art. 37).
If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
Responsibilities of a DPO?
In the GDPR (Art 39) outlines the five minimum tasks that the DPO must perform, namely:
- inform and advise organizations and employees, who carry out data processing on applicable data protection provisions
- monitor compliance with the GDPR, other data protection provisions, and additional internal data protection policies; this includes training and auditing
- advise on data protection impact assessment (DPIA)
- cooperate with the supervisory authority
- be the main contact for the supervisory authority.
- How does the GDPR affect policy surrounding data breaches?
Proposed regulations surrounding data breaches primarily relate to the notification policies of companies that have been breached. Data breaches which may pose a risk to individuals must be notified to the Data Processing Authority (DPA) within 72 hours and to affected individuals without undue delay.
- One stop shop
The supervision of data processing will fall under only one DPA instead of the current practice which requires supervision by the DPA of each Member State the data is processed in.
What should an organization do next?
All organizations needs to take an in-depth look at where they currently stand with compliance with the requirements of GDPR and get to grips with what and where they need to focus in the coming months (by the 25 May 2018).
Type of employees who can undertake this work?
Getting ready for the GDPR requires a multi-disciplinary type of skill sets. An organization must appoint a DPO (if obligatory) or an external consultant, who will lead an in-house team of employees who will work together to develop effective roadmaps to achieve operational adequacy.