What Is the GDPR?
In April 2016, following more than four years of discussion, the European Parliament, the Council of the European Union, and the European Commission of the European Union adopted new provisions for data protection called the General Data Protection Regulation (GDPR).
The intention behind the law is to strengthen data protection for all individuals within the European Union (EU). The underlying goal of the GDPR is enable EU residents to control access to and use of their personal data. The GDPR also aims to unify the regulation of personal consumer and other data within the EU, and to simplify the overall regulatory environment regarding data protection for international business.
Under the GDPR, companies are encouraged to return control of personal data to individual EU residents. The idea is to make it easier for individuals to become aware of what organisations know about them, and to enable individual easily to change permissions they have granted for the use or sharing of their personal information.
The goals of the GDPR are based in part on the many recent data breaches and data hacking incidents worldwide that compromised individuals’ personal data. In addition, as the value of personal data increases in our growing digital economy, the GDPR seeks to grant to EU residents a new set of “digital rights.”
How Does It Affect My Business?
The new GDPR applies in all EU member states without the need for them to enact their own nation-specific legislation. This means the GDPR is directly binding in all European Union nations, including the UK.
The GDPR can affect any EU business of any size in any sector. If a company maintains data about customers or other residents of the EU, it is expected to comply with the new provisions. The GDPR also affects EU companies that export personal data outside the EU in any way for any reason.
The new law will be implemented on 25 May 2018. Until then, there is a transitional period.
During this period—a limited, two-year window—EU member states are required to enact laws, regulations, and administrative provisions required for full observance of the new regulation.
In addition, during the transitional period all EU organisations are expected to become fully familiar with the GDPR and to bring all data-processing practices into compliance before the May 2018 deadline.
Note that the GDPR includes substantial fines and sanctions for noncompliance.
What Does the GDPR Require?
The following are some of the main requirements of the General Data Protection Regulation:
- The regulation applies to all companies that collect data from EU residents—regardless of where the company is based—as well as to all organisations that process data from EU residents on behalf of other companies (for example, data-cloud-service providers).
- According to the European Commission, “Personal data is any information relating to an individual, whether it relates to his or her private, professional, or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”
- The regulation does not apply to personal data collected and/or processed for national security or law enforcement within the European Union.
- All EU member states will be subject to a single set of rules. However, each state is required to establish its own supervisory authority to hear grievances, investigate complaints, sanction offences, etc.
- To demonstrate GDPR compliance, a company’s data controller should have effective default measures in place that conform to GDPR data-protection requirements.
- In the event of specific risks, data protection impact assessments must be conducted. The assessment and mitigation of risks are required in each such event, and for high risks, prior approval of all measures by GDPR data-protection authorities is mandatory.
- Each organisation is expected to have its own designated data protection officer (DPO) to ensure compliance.
- Data can be processed only if there is at a lawful basis for doing so. These lawful bases include situations where: the subject has consented to the processing of personal data for a specific purpose; processing is needed to comply with a legal obligation; processing is needed to protect someone’s interests; processing is necessary to carry out a task in the public interest, etc.
- Consent must be explicit for data collected and for all uses of the data.
- Consent for children must be given by each child’s parent or custodian.
- Data subjects (those individuals whose data is being or has been collected) must have a clear and easy-to-use option to withdraw consent.
- Data processing records must be maintained, in case of GDPR audits.
- Data controllers must be able to prove the existence of consent.
In the event of noncompliance with any of the GDPR provisions, sanctions may include:
- A written warning (for first-time and clearly non-intentional violations)
- Required periodic data-protection audits
- Fines up to 20 million Euros or up to to 4 percent of the organization’s annual worldwide turnover of the preceding financial year, whichever is greater.
What Should My Organisation Do to Prepare for the GDPR?
Organisations throughout the EU—including in Britain—are advised to take advantage of the GDPR transitional period and to use it effectively.
You should begin preparation immediately, if you haven’t already, so that you are able to allocate sufficient time and other resources to make all required changes and achieve compliance in time for the 25 May 2018 GDPR deadline.
Companies ideally will:
- Make sure all affected personnel and decision makers understand GDPR requirements.
- Evaluate all relevant data-processing procedures.
- Identify existing compliance mechanisms, such as opt-in/opt-out methods and stated privacy policies.
- Make decisions about whether changes or improvements are required for existing procedures, options, policies, etc.
- Ascertain exactly what changes or improvements are needed for GDPR compliance.
- Begin the process of making the required changes or improvements as soon as possible.
- Be fully GDPR-compliant by the 25 May 2018
Note that planned projects that have not yet begun should also be carefully reviewed and designed or redesigned to ensure conformity with the GDPR.
Finally, you should keep in mind that, although GDPR enforcement does not begin until May 2018, in the UK many of those interpreting deferred prosecution agreements will be more and more likely to construe and apply the existing EU data-protection laws in accordance with the provisions of the coming GDPR.Share This Post...