The General Data Protection Regulation – or the GDPR – is a new piece of privacy law that will enter into force on 25 May 2018. It will apply in the entire European Union. The GDPR aims to harmonise and modernise the privacy rules for the new digital era. It will replace the outdated Data Protection Directive, in force since 1995.
Individuals will have more rights, including the famed ‘right to be forgotten’. Businesses will enjoy a more consistent application of rules and a predictable regulatory environment with less red tape.
See more detail here: A Beginner’s Guide to the GDPR
The GDPR was adopted on 27 April 2016. The two-year grace period started on that date, and the Regulation will enter into force on 25 May 2018. By that time, all businesses and organisations must be compliant.
A Data Protection Officer (DPO) is the privacy expert in your company that helps you solve GDPR- and privacy-related issues. They will notify you if you are in breach of the GDPR, as well as provide guidance to steer you towards compliance.
DPOs provide education and promote responsible data handling practices. They will also help you make contingency plans in case of a breach, and aid you in international data transfers. A DPO must act independently, without being influenced by owners or other employees.
If your company is doing any processing of personal data on a regular basis, the answer is yes. The same goes if you process sensitive personal data. Generally, the more complex your data processing activities are, the more likely it is you need a DPO.
However, we advise you to hire a DPO even if not required. It will certainly pay off, since they provide invaluable expert advice. Find out more on whether you need a DPO here.
Data controllers are the entities responsible for managing, collecting and directing the use of data. Bulk of the responsibility for the data lies on them.
Data processors are responsible for the processing of data based on orders received from data controllers. In most cases, a single company will be both at the same time. However, if using cloud services, for example, the cloud would be considered a data processor.
A data subject is the individual whose personal data is being processed.
There are several ways businesses can benefit from the GDPR. First, the regulatory environment in the entire EU will be harmonised. This will make expanding into another EU country much easier.
Secondly, non-EU companies will also have to play by the rules if they wish to do business in the EU. The playing field will be completely level. EU businesses won’t be harmed by companies taking advantage of countries with lax privacy regulations.
Thirdly, the more stringent requirements for data storage will make data breaches a rare occurrence. This inadvertent effect will have a great impact on preventing losses stemming from data loss.
Find out more about why the GDPR is good for business here.
The individuals will benefit the most from the GDPR. You have more rights now compared to before the GDPR. It is also much easier to exercise them by contacting the company or the supervisory authority in your country. Even if the company is from another EU country, your local authority will forward your complaint.
You have the rights to be forgotten and to deny consent for the use of data. At any point, you can ask what is being done to your data and demand a copy of it. Generally, nobody can do anything with your personal data unless you clearly consent – such as when marking a check-box online or providing a physical signature.
There are a few more rights you can exercise. Find them here.
We do not recommend ignoring the provisions of the GDPR. The regulatory authorities can issue huge fines. There are two tiers of fines. One is reserved for procedural and minor mistakes, with fines ranging up to EUR 10 million or 2 percent of the company’s global turnover, whichever is higher.
The other tier pertains to severe negligence and wilful infringement of personal rights. The maximum fines for this kind of infringements is doubled to EUR 20 million or 4 percent of the company’s global turnover, whichever is higher.
But it’s not that grim. These are maximum fines, and it’s unlikely your company will get fined by that amount. Repeat transgressors will be issued high fines, but first-time offenders will likely get just a warning and a list of issues that they must get in order.
Supervisory authorities, which are responsible for issuing fines, are not policemen, and they will – and must – cooperate with companies to help them resolve any issues they might have. Therefore, despite the media claims of potential huge fines, in most cases it will be business as usual, but with a new, clearer set of requirements.
Find out more about fines here.
The DPAs – Data Protection Authorities – will continue carrying out their duties as regulators. In the GDPR, however, they will officially be called ‘supervisory authorities’. Each EU Member State will have to appoint one such authority that will oversee all businesses and organisations in its country.
Also, the regulators from each country are expected to cooperate regarding consistency and especially when dealing with multinational corporations. The aim was to have the same regulatory standard in each EU Member State, and thus prevent forum shopping which has become commonplace.
The exact figure is variable, but one thing is for certain: Plan on increasing your privacy and IT budget. The GDPR will result in increased costs, at least during the initial break-in period. This holds true whether you’re a small business-owner or a manager of a huge company.
Companies without adequate privacy and data protection measures will have to spend more to get up to par. And of course, the larger the company, the larger the cost. Half a million Euros is an oft-quoted figure for companies with hundreds of employees. Smaller companies can outsource a DPO to cut on costs, but everyone will have to invest in employee training and education. The figures will vary widely for small businesses, depending on their practices and processing activities.
Not for now. Even if the negotiations finish in the shortest possible time, the UK is still set to implement the GDPR. This means that UK companies also must comply. However, all bets are off in the longer time frame. The Brexit has the potential to affect the application of the GDPR in the UK in the future, though.
Still, even if the UK opts to change the GDPR or abolish it altogether, the privacy regulations in other countries will require a high standard of privacy in the UK. Otherwise, its companies will not be able to hold overseas data.
The GDPR requires that all companies which process personal data on a significant scale, or process sensitive personal data, keep records of their processing activities.
There are no set rules as to what the records should look like, but they must contain at least the following:
- contact details of a person within the organisation
- purpose for processing, explained in detail
- categories of personal data used
- special categories of data (sensitive data), if any
- existence of data transfers to third countries
- retention periods
- overview of security and technical data protection measures
- any additional information, if deemed necessary
Companies with less than 250 employees are exempt from most record-keeping activities. Find out more in this article.
The GDPR has much stricter consent requirements than the current legislation.
This means that implied consent doesn’t work anymore. Consent must be explicit and freely given. It’s opt-in; never opt-out.
Furthermore, you must clearly inform the individual what you will use their data for. The explanation should be given in plain language. The consent is valid only for those specified purposes. If you wish to expand the use of the data, you need additional consent.
It’s very simple. The requirements for NGOs and political parties are the same as for all other organisations. Everything that applies to businesses, also applies to other organisations as well. Pay particular attention to charitable solicitations and marketing. Read more here.
Personal data is ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’ (Article 4(1)).
In other words, anything that can be used to identify the individual is considered personal data. This includes addresses, credit card numbers, photos, salary, opinions, etc. Note that cookies, IP addresses and location data are also considered personal, which caused quite an uproar for online marketers. The protections of the GDPR are afforded only to the living persons.
Data that is not considered personal, or if it has been anonymised, does not fall under the scope of the GDPR.
Find out more information here.
This is yet another category of personal data that is considered even more protected than personal data. The conditions for processing such data are even more limited.
Sensitive personal data encompasses:
- ethnic makeup
- political stances
- religious beliefs
- trade union membership
- (mental) health condition
- sexual orientation
- criminal files and court proceedings
- biometric data
- genetic data
This data generally cannot be processed, unless you have obtained explicit consent for its use, or if there are public interests for doing so. Read more here.
Yes. Similarly to the USA’s COPPA, the GDPR requires parental permission for child users of online services. However, unlike in the US, which sets the age limit at 13 years old, the threshold is 16 in the GDPR. Member States are allowed to lower the limit, but to no less than 13. We expect most will do it to harmonise with the US regulations.
‘DPIA’ is a shorthand for ‘Data Privacy Impact Assessment’. You must perform a DPIA any time the processing operations pose a privacy or security risk for any individuals. These assessments are a good way of determining whether the operation will be GDPR-compliant. They are also used to demonstrate compliance to the authorities.
As per Article 4 of the GDPR, profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Automated decision-making is the ability to make decisions by technological means without human involvement. These two often overlap.