What is the GDPR?
The EU General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/EC and has been developed to harmonize data privacy laws across Europe. The last directive was established in 1995. This change will enter into force on May 24, 2018.
The biggest change being made is the increase in territorial scope. This regulation will apply to all companies processing the personal data of subjects residing in the Union, regardless of the company’s location. This will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (regardless of whether payment is required) and the monitoring of behavior that takes place within the EU. Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU.
Changes to the conditions for consent have been strengthened, and companies will no longer be able to use long terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily-accessible form, with the purpose for data processing attached to that consent.
Among the changes, there are also updated data subject rights. Breach notification will become mandatory within 72 hours of first having become aware of a data breach. Data subjects will have the right to obtain confirmation as to whether or not personal data concerning them is being processed, where it is being processed, and for what purpose. Data Erasure protocol also moves to the forefront of the regulation. This entitles subjects to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
Systems storing this data are now legally required to be private by design, or include data protection from the onset of system design and not as an annex or addition. Data minimization and limited access are also addressed here.
When does the GDPR go into effect?
The regulation was approved in April 2016. There is a 2-year transition period, and will be in force May 2018.
Do I have to abide by the GDPR?
If you process any data about individuals in the context of selling good or services to citizens in EU countries, then you will need to comply with the GDPR. This applies to organizations located outside of the EU if there is offering of goods or services or monitoring of behavior of EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the EU, regardless of the company’s location.
What is personal data?
Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify a person. This can be anything from a name, photo, email address, bank details, posts on social networking sites, medical information, IP addresses, etc.
What sort of consent is required for data processing?
The request for consent must be given in an intelligible and easily-accessible form, with the purpose for data processing attached to that consent – meaning it must be unambiguous. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It should be as easy to withdraw consent as it is to give it. Explicit consent is required only for processing sensitive personal data – in this context, nothing short of “opt in” will suffice. However, for non-sensitive data, “unambiguous” consent will suffice.
Does my company need a Data Protection Officer (DPO)
DOPs must be appointed in the case of (a) public authorities, (b) organizations that engage in large scale systematic monitoring, or (c) organizations that engage in large-scale processing of sensitive personal data.
What are the penalties for noncompliance?
Organizations can be fined up to 4% of annual global turnover for breaching GDPR. This is the maximum fine that can be imposed for the most serious infringements. There is a tiered approach to fines.