The European Union’s General Data Protection Regulation (GDPR) addresses the protection of individuals with regard to the collecting and processing of personal data. This new regime becomes enforceable on May 25, 2018.
What is the GDPR?
The GDPR’s aims are twofold: First, the EU wants to give control over personal data back to citizens and residents. Second, the EU wants to simplify the regulatory environment for all businesses by creating uniformity in personal data protection within the 28 countries comprising the EU.
Who is affected by the GDPR?
The regulation applies to all organizations which collect or process personal data of residents of the EU. Moreover, it applies to any organization regardless of where they operate in the EU or not. In effect this regulation will affect any company that uses personal data of persons residing in the EU in order to provide services, sell goods or monitor their behavior, even if these companies do not have an EU presence. It is important to note that the GDPR is intended to protect any individual who is legally considered a resident of the EU even if that person is not a citizen of the EU.
What is considered “personal data” under the GDPR?
Personal data is defined as any information relating to an individual, whether it deals with his or her private, professional or public life. It is very broad and covers such data as name, home address, picture, IP or email address, and any bank information, digital media post or medical records.
What are the key elements of the GDPR?
Privacy by design: The concept of privacy by design is a requirement under the GDPR, whereby organizations subject to this regulation are expected to embed privacy protection mechanisms into processes and operations, rather than add them as an afterthought.
Appointment of a data protection officer (DPO): Organizations which regularly process data on a large scale are required to appoint a Data Protection Officer. The DPO must report directly to top management and is responsible for advising key decision-makers about compliance with GDPR.
Obtaining consent: The GDPR requires that consent to collect and use personal data be obtained “by a statement or by clear affirmative action” before such data may be lawfully processed. Additional protection is provided to children under the age of 16. Organizations which control personal data must be able to prove consent was received and must also provide for the consent to be withdrawn.
72-hour rule: Data controllers must notify the Supervising Authority within 72 hours of having become aware of a data breach. Furthermore, individuals must be notified “without undue delay” when adverse impact is likely. There exists some exception to the 72-hour rule whenever the data was rendered unintelligible using such techniques as encryption.
Right to erasure: Individuals covered by the scope of the GDPR have the right to request that their data be permanently erased from an organization’s database whenever it is determined that the legitimate interests of the controller is overridden by the interests or fundamental rights and freedoms of the individual.
Minimization, purpose limitation, and storage limitation: The collection and storage of personal data must not only be clearly communicated and consented to, it must include the minimum amount of information necessary, and must be stored for the minimum amount of time required.
Penalties for non-compliance: Financial penalties are mandated under the GDPR for the mishandling of personal data. Fines of up to 20 million Euros or 4% of annual worldwide turnover (whichever is greater) can be assessed should non-compliance be determined. Fines for noncompliance with data breach reporting obligations are limited to the lower of 10 million Euros or 2% of global annual turnover.
The EU General Data Protection Regulation is far reaching and will impact all companies that use or store personal data of individuals within the EU, whether or not those companies have actual operations in the EU.
Many international organizations will begin to require that their service providers be GDPR compliant and will refuse to work with companies which are not.
It is also likely that as consumers continue to become ever more savvy and cautious about their personal data, companies who are GDPR compliant will enjoy a competitive advantage. There is no question that the challenges of implementing GDPR are many.
However, based on a recent survey of tech executives and their legal counsels, GDPR is expected to become the gold standard of personal data management and will create opportunities for higher quality data as well as more efficient data management.