Approved by the European Union Parliament on 14 June 2016 after four years of preparation and debate, the GDPR will replace the current data protection directive from May 25, 2018 after a two-year transition period. The GDPR is directly applicable and binding, meaning it does not require any enabling legislation. With that in mind, here is some more information about the GDPR.
An Overview of GDPR
The GDPR will introduce stronger rights and restrictions, as well as new accountability obligations on international data flows. The GDPR will require any organization that handles data about EU citizens to establish a robust personal data security framework. Additionally, the GDPR will harmonize all the data security laws across all 28 EU member states to make it easier for non-European companies/multinationals to comply with all the applicable laws across Europe.
According to the European Commission, this regulation will make it simpler and cheaper for businesses to operate within Europe. The EU hopes to use the GDPR to encourage businesses to incorporate data security frameworks into their services and products from the development phase. Beyond the typical types of personal data, such as name, photos and address, the GDPR extends the definition of personal data to include any sensitive data, such as IP address, biometric data and even IP address.
Scope of the GDPR
One of the main elements of the GDPR is the increased territorial scope. Specifically, the GDPR will apply to any company that handles data of EU citizens, regardless of the company’s location, meaning it will come with an extended jurisdiction. As a result, it will remove the ambiguity in the current regulation, Directive 95/46/EC, which refers to data process ‘in the context of an establishment.’ Thanks to the extended jurisdiction, the GDPR will remove this ambiguity, which has arisen in several high-profile court cases.
Additionally, this regulation will also apply to the processing of personal data of EU citizens by a processor or controller not established in the EU, where the activities relate to monitoring EU residents within the EU and selling or offerings services and goods for free to EU citizens. Moreover, any non-European business processing data of EU citizens will need to have a Data Protection Officer (DPO) in the EU. The regulation also contains a separate Data Protection Directive that will govern how the criminal justice sector and the police exchange personal data at the national, European and international level.
Single Set of Rules
While a single set of rules will apply to all 28 EU member states, each national government will create an independent Supervisory Authority to investigate and hear administrative offences, sanctions and complaints. All the SAs will offer mutual assistance to each other and organize joint operations. It is important to note that a business with offices across Europe will have only one SA called the “lead authority” stationed at its main data processing centre. The lead authority will supervise all the activities of the business throughout the EU with the help of a European Data Protection Board (EDPB). It is important to note certain personal data is exempt from the regulation. This includes data processed for the purposes of national security or in an employment context. Such data may still be subject to individual country laws.
Responsibility and Accountability
Under the GDPR, notice requirements must include the retention time for personal data, as well as the contact details of both the DPO and the data controller. Like the Data Protection Directive, the automated individual decision-making, including profiling, is contestable. This means that an EU citizen can question or fight any significant decision that affects him/her that has been made on a purely algorithmic basis.
To demonstrate compliance with the regulation, the data controller should implement a data security framework that meets the principles of data protection both by design and by default as stipulated under Article 25. Specifically, privacy by design and by default requires data security measures, such as pseudonymised personal data by the controller, be incorporated into the development of business processes for services and products. This means the data controller carries the responsibility of implementing effective protection measures and more importantly, should be able to demonstrate the effectiveness of such measures even when the data processing is done by a data processor on behalf of the data controller.
Under the GDPR, the penalties for flouting the regulation are based on a company’s annual global revenue and they vary in terms of severity depending on the nature of the infringement. For instance, a company found guilty of minor GDPR infractions such as failing to notify the relevant authority and data subject about a data breach or failing to conduct an impact assessment or failing to keep proper records can be fined up to 2% of its annual global turnover.
On the other hand, a found guilty of the most serious offenses such as violating the core of Privacy by Design concepts or lacking sufficient customer consent to process data can be charged up to 4% of its annual global revenue or €20 Million, whichever is higher. It is important to note that these penalties apply to both controllers and processors, meaning even ‘clouds’ will have to comply with the regulation.
The Benefits of the GDPR to EU Citizens
The GDPR has several inherent benefits. For starters, it will instill and promote transparency because it will compel organizations to explain to consumers in a clear way how they process and use consumer data. Secondly, it will help manage data breaches more effectively because it compels organizations to report data breaches to the relevant authorities and inform all the affected consumers. Thirdly, it will help enforce the “right to be forgotten.” This means you can ask an organization to delete your personal data from its records it there no grounds for retaining your data.
The Impact of Brexit on the GDPR
Although the United Kingdom is set to leave the EU over 10 months after the enactment of the GDPR, the UK government has said the regulation will work to the benefit of the country, so it will enforce it. In other words, Brexit will have no effect on the GDPR compliance in the UK.
The General Data Protection Regulations are essentially robust data protection regulations aimed at protecting the personal data of EU citizens. The regulation requires any organization that process EU residents’ data to implement a robust data protection system, deliver a breach notification in the event of a data breach, as well as provide a description of the potential consequences of the breach. The UK will also enforce the GDPR despite Brexit.