The EU General Data Protection Regulation (EU) 2016/679, or GDPR
, comes into effect on the 25th
of May 2018. This legislation, running to more than 88 pages, goes well beyond the existing data protection regime in terms of its scope, standards and sanctions and as the manager of a business requires your immediate attention.
Does GDPR apply to my business?
GDPR applies to you if you are engaged in the electronic or automatic processing of personal data AND
to the manual paper-based processing where the personal data is part of (or is intended to be part of) a filing system (in other words online AND
offline processing are covered)
Your organisation is established in the EU (irrespective of where in the world the processing of personal data takes place)
Your organisation is not established in the EU but processes data related EU residents and the data relates to goods or services offered in the EU (whether-or-not those goods or services are free-of-charge) OR
is related to the monitoring of behaviour in the EU.
In other words: if you target or monitor EU residents then GDPR almost certainly applies to your business.
So what’s the urgency?
New regulations relating to accountability, breach notification, consent, data protection offices & transparency are included in this regulation and place an enhanced compliance burden on organisations like yours. Getting your organisation ready to execute this new compliance framework while minimising the impact on day-to-day operations will take time and energy
The penalties for non-compliance are hefty: up to 4% of annual revenue or €20 million (whichever is greater) and considerations of infringement extend to both material and non-material damage. Complaints will typically be handled by your “local” supervisory authority in the EU member state where you are established, you could face investigations carried out by any other supervisory authority in the EU.
What’s new in GDPR?
The legislation refines or introduces a broad range of items such as:
This defined as any information relating to an identified or identifiable person. GDPR explicitly extends the definition to include to online identifiers like IP addresses and cookies
This is defined as data revealing race or ethnicity, political opinions, religious beliefs, trade union membership, health, sex life or sexual orientation. GDPR extends that definition to include genetic & biometric data for the purpose of uniquely identifying a person.
The burden of proof shifts to the data controller AND the data processor in the event of a compliance investigation by a data protection authority. Organisations must be able to prove that consent is obtained to store / process data and that the concepts of privacy by design and privacy by default have been addressed.
You are now required to ensure that personal data is “limited to what is necessary”
GDPR stipulates that consent must be freely given, specific, informed and provided via an unambiguous indication of the subjects wishes. Because of the Accountability Principle above this suggests a significant change in how organisations record that explicit consent.
New rules have been proposed here covering online consent, privacy notices and the justification of processing by reference to the legitimate interests of the organisation
Rights for data subjects
Rights of rectification (the entitlement to have inaccurate personal data rectified without delay) and erasure (the entitlement to have personal data erased in specified circumstances) are strengthened. GDPR has also added a right to restriction of processing (as an alternative to erasure). Organisations have new obligations to pass on requests for rectification, erasure and restriction to third party recipients of information.
A right of data portability gives data subjects to take personal data (that they have supplied to your organisation) from you in a common machines readable format and supply it to a third party.
Current legislation requires that a data controller takes appropriate measures to provide a range of information to a data subject in a transparent & accessible manner. This information includes things like contact details of the data controller, purposes of the data processing, the category of recipients of the personal data, data retention period and so one. This is often communicated in a Privacy Statement.
GDPR adds the requirement to communicate contact details of the data protection officer, legal basis for the processing, any intention to transfer data outside the EU, the right to complain to the supervisory authority, the right to withdraw consent where it has been given, whether the requirement to provide personal data is statuary or contractual, the consequence of failing to comply, and rights regarding data portability, objection to processing & restriction of processing.
To meet the new requirements here organisations will need to update their existing Privacy Notices.
Privacy by Design
GDPR requires organisations to consider privacy measures during product design processes, implementing appropriate technical and organisational measures to effectively apply the data protection principles.
Privacy by Default
GDPR requires effected organisations to ensure that only necessary data is processed. This is to be achieved by implementing appropriate technical and operational measures. This obligation applies to the amount of personal data collected, the extent of the processing, the period of data storage, and the accessibility of that data. Compliance here may be demonstrated by an approved certification mechanism.
Data Protection Officer
A Data Protection Officer will now have to be appointed where: the processing is carried out by a public authority (except for courts in their judicial capacity), the core activities of the data controller or processor consists of regular & systematic monitoring of data on a large scale, OR where the core activity relates to processing a large scale of special categories of data relating to criminal convictions.
Given the Principle of Accountability it may be advisable for many organisations who fall outside the three cases above to appoint a Data Protection Officer in order to centralise their compliance obligations.