WHAT IS GDPR AND WHAT DOES IT STAND FOR?
GDPR stands for General Data Protection Regulation also referred to as Regulation (EU) 2016/679. GDPR replaces the existing protection directive that was introduced in 1995 and has been created by the European Parliament, the Council of the European Union and the European Commission to strengthen and unify data protection for all residents of the European Union.
GDPR addresses data protection rules for personal data export outside of the European Union. It also enforces EU data protection laws to guide foreign organisations that process personal data pertaining to residents of the European Union.
WHEN DOES GDPR COME INTO EFFECT?
GDPR was approved by the European parliament in April 2016. After a two-year transition period, GDPR will be in force for all organisations that handle the data of EU residents from the 25th of May 2018.
WHAT IS THE PURPOSE OF GDPR?
The primary purpose of GDPR is to define standardised data protection laws for all member countries across the European Union.
- Increase privacy and extend data rights for EU residents.
- Help EU residents understand personal data use.
- Address the export of personal data outside of the EU.
- Give regulatory authorities greater powers to take action against organisations that breach the new data protection regulations.
- Simplify the regulatory environment for international business by unifying data protection regulations within the European Union.
- Require every new business process that uses personal data to abide by the GDPR data protection regulations and Privacy by Design rule.
WHO DOES THE GDPR APPLY TO?
Similar to the Data Protection Act, GDPR applies to company data controllers and data processors (the definition of these roles can be found further into this document). If you are the controller, the GDPR places additional emphasis on meeting contractual obligations with the processor to ensure they comply with GDPR. As a processor, the GDPR requires you to maintain records of all processing activities and personal data use. This increases the legal liability for processors in the event of a breach.
GDPR does NOT apply to specific activities such as processing under the Law Enforcement Directive, processing done by individuals for personal or household matters, and processing carried out for the purpose of national security.
WHAT TYPE OF INFORMATION APPLIES TO GDPR?
Like the Data Protection Act, the GDPR rules apply to personal data. However, the GDPR extends the scope of what is considered personal data such as an IP address that acts as an online identifier.
The GDPR rules also apply to sensitive data which uniquely identifies a specific individual. This includes categories such as genetic or biometric data.
ACCORDING TO THE EU, WHAT CONSTITUTES PERSONAL DATA?
Under GDPR, the definition of personal data has been much simplified to ‘any information relating to an identified or identifiable person.’
According to the European Commission, personal data constitutes “Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
WHAT ABOUT BREXIT? WILL UK BUSINESSES STILL NEED TO COMPLY WITH GDPR?
GDPR will come into force before the UK leaves the European Union. Both the Information Commissioner and the UK government has confirmed that GDPR will still apply to organisations in the United Kingdom that are handling the personal data of EU residents.
A primary reason why the UK is obligated to comply with the GDPR is the crossover timeframe between enforcement of the GDPR and the exit of the UK from the European Union. Additionally, the GDPR rules reach outside the EU which means UK companies that are doing business with the EU post Brexit must comply with the GDPR to avoid infringement of the rules.
DOES GDPR APPLY TO COMPANIES OUTSIDE OF THE EU?
Yes. Similar to UK compliance post Brexit, GDPR regulations apply to foreign companies outside of the EU that collect, process and hold the personal data of EU residents, regardless of their location.
OUR ORGANISATION DOES NOT CHARGE FOR SERVICES WE OFFER. ARE WE STILL REQUIRED TO COMPLY WITH THE GDPR?
Yes. The GDPR applies to business and organisations that offer goods or services to EU residents irrespective of if payment is exchanged.
ARE WE REQUIRED TO COMPLY WITH GDPR IF OUR BUSINESS PROCESSES DATA MANUALLY?
This depends on the type of output used for manual data processing. According to Article 4(6), “Any structured set of personal data which is accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional or geographical basis and contributes toward a database, then compliance is required. If said processing is one-off and does not enter a structured and accessible database, then the GDPR may not apply.”
HOW MUCH WILL I BE FINED IF MY BUSINESS BREACHES THE NEW GDPR LAW?
The financial penalties for non-compliance will be tough. Depending on which is greater, businesses can expect to be fined up to 4% of their global revenue, or up to £20 million euros for non-compliance. There will be a tiered approach to fines. For example:
- A company can be fined up to 10,000,000 or 2% of their annual worldwide turnover for not having their records in order or;
- Failing to notify the supervising authority and data subject about a breach or;
- Not conducting an impact assessment.
- A warning will be distributed in writing in cases of first and non-intentional non-compliance.
- Your company may be subject to regular periodic data protection audits.
GDPR rules apply to both Data Controllers and Data Processors (see the definition of a data controller and data processor further into this document).
In addition, individuals will be given the right to claim compensation from the business for any damage that results from a GDPR violation.
9 KEY CHANGES UNDER GDPR.
- A single set of data protection rules will now apply to all EU member states. In addition, increased territorial scope means that GDPR will apply to all companies that that process personal data of EU Residents, regardless of their location.
- ‘Right to be forgotten’ – also known as Data Erasure. EU residents will have the right to request that personal data relating to them is erased. This could be based on a number of grounds that include non-compliance, data no longer being relevant to its original purposes, or data subjects withdrawing consent.
- ‘Right to access’ – Data subjects will have the right to obtain confirmation from the data controller whether or not their personal data concerning them has been processed, where it has been processed and for what purpose.
- Data Breach notifications will become mandatory in all member states – in the instance that the data breach is likely to “result in risk pertaining to the rights and freedoms of individuals.
- Consent rules are changing and opt-in requirements for obtaining personal data are stricter. The conditions for consent have been strengthened, as companies will no longer be able to utilise long illegible terms and conditions full of legalese. Organisations are required to ensure that consent is clear, distinguishable and provided in an easily accessible form with the purpose of the data processing disclosed and attached to the consent. It must be just as easy to withdraw consent as it is to give it.
- ‘Privacy by Design’ – Now part of a legal requirement with the GDPR, Privacy by Design calls for the inclusion of data protection from the onset of the designing of systems, instead of just being an addition.
- Data Controllers and Data Processors will be required to conduct privacy risk impact assessments for projects that have high privacy risks.
- Data processing activity notification rules are changing. Under GDPR it will no longer be necessary for Data Controllers to submit notifications / registrations of data processing activities to local Data Protection Officers. In addition, it will no longer be a requirement to notify / obtain approval for transfers based on the Model Contract Clauses (MCCs). This will be replaced by an internal record keeping requirement. There is an exception to this, which is explained in the Data Protection Officer section further into this document.
- The new Accountability Principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.
WHAT ABOUT THE DATA OF CHILDREN UNDER THE AGE OF 16?
Parents or custodians will be required to provide consent for the processing of their children’s data if the child is under the age of 16. Some member states may legislate for a lower age of consent, but not below the age of 13.
WHAT IS A DATA PROTECTION OFFICER AND DOES MY COMPANY NEED ONE?
A Data Protection Officer (or DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). It will be mandatory for your organisation to appoint a DPO (Data Protection Officer) if your business activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale. Or, the systematic monitoring of special categories of data or data relating to criminal convictions and offences.
Your DPO will be responsible for ensuring compliance with the new GDPR regulations and overseeing your data protection strategy and implementation.
According to the official GDPR website, the DPO:
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices.
- May be a staff member or an external service provider.
- Contact details must be provided to the relevant DPO.
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge.
- Must report directly to the highest level of management.
- Must not carry out any other tasks that could result in a conflict of interest.
WHAT IS A SUPERVISORY AUTHORITY AND WHAT IS ITS PURPOSE? (SA)
- Every EU member state is required to appoint an independent Supervisory Authority (SA). The job of the SA is to investigate complaints that relate to GDPR and approve administrative offences.
- All Supervisory Authorities from different member states will cooperate with each other and provide mutual assistance.
- A single Supervisory Authority will be selected as your lead authority. This will typically be based on the location of your head office (or main establishment).
- This lead authority will act as the ‘one-stop-shop’ for your business and they will supervise all of your business data processing activities within the EU*
*One-stop-shop is still considered a controversial topic that is likely to be debated during the Trilogue negotiations.
SO WHO ORGANISES THE SUPERVISORY AUTHORITIES?
- A European Data Protection Board (EDPB) will be in charge of coordinating the Supervisory Authorities. The EDPB will consist of the heads of each EU Member State’s SA and the European Data Protection Supervisor. Both advise the Commission and promote cooperation between SAs throughout the EU.
- The EDPB is responsible for maintaining consistency throughout the EU. Under the Council March 2015 Position, the EDPB’s role in the complaints procedure is expanded to include responsibility for decisions where there is disagreement between the lead SA and other SAs with regard to the decision reached.
WHAT IS THE ROLE OF A DATA CONTROLLER AND HOW ARE THEY AFFECTED BY GDPR?
A data controller is an organisation that determines the purposes, conditions and means of processing personal data. An example of a data controller is an organisation that resells mail and telemarketing lists.
- Data Controllers will be required to demonstrate compliance with GDPR by implementing measures that meet the principles of data protection by design and data protection by default.
- In the instance of a data breach, Data controllers will have no more than 72 hours to report a potential data breach to a Supervisory Authority (unless the risk to the individual data protection rights is low).
- Data Minimisation – Data controllers are required to hold and process only the data absolutely necessary for the completion of its duties, in addition to limiting the access to personal data to those needing to act out the processing.
- When a data subject exercises their ‘Right to access’, Data Controllers are required to provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
- Data Controllers are also required to ensure that adequate contracts are in place to govern data processors.
WHAT IS THE ROLE OF A DATA PROCESSOR AND HOW ARE THEY AFFECTED BY GDPR?
- Data Processors are organisations that process data on behalf of a data controllers, such as a cloud services organisation that provides a hosting platform that the data resides on.
- Data Processors primarily answer to controllers, and will be required to process data only as instructed by controllers, use appropriate technical and organisational measures to comply with the GDPR, delete or return data to the controller once processing is complete and adhere to certain conditions that require collaboration with other processors.
- Under the GDPR, Data Processors are prohibited from enlisting another processor without prior specific or general written permission of the controller.
- Data Processors can now be held directly responsible for the security of personal data.
- In the instance of a data breach, Data Processors will be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
ARE DEROGATIONS PERMITTED BY THE GDPR?
In certain circumstances, Article 23 of the GDPR allows Member States to implement derogations. This is similar to the exemptions allowed in the Data Protection ACT (DPA). Member States may add exemptions as long as the restriction maintains respect for an individual’s rights and freedoms. The restriction must also act as a safeguard to matters such as national and public security, deference, criminal offence processes, public financial and economic interests, judicial independence, enforcement of civil law, and more.
WHAT ARE SOME OF THE CHALLENGES PROPOSED BY THE GDPR?
Challenges include the following examples:
- The biggest challenge will be implementing best practices to meet the GDPR requirements. Many businesses will need to make significant changes to standard business practices, especially if they do not already have strict privacy processes in place.
- Data portability has not been considered as a key function for individual data protection. It is more of a requirement for cloud providers and social networks.
- The Data Protection Officer requirement is new to some EU Member States and will be considered as an additional burden to bear.
- There is currently a shortage of data privacy experts.
- The GDPR rules present conflicts with regulations in non-European countries.
USEFUL REFERENCE LINKS
We are reviewing our offerings to help organisations understand data privacy legislation and provide guidance on EU General Data Protection Regulation compliance. We will contact all of our customers regarding this in due course. If you'd like to be kept updated, let us know.