The General Data Protection Regulation (GDPR) is a European law which applies throughout the European Union and that means that organizations with an establishment in any of the member states will need to comply with GDPR.
The law goes beyond that.
Related post: GDPR: Frequently Asked Questions
Disclaimer: This blog article was written by our compliance experts for general information and does not claim to provide legal advice. To understand the full context of your organization, please consult with a privacy compliance and/or legal professional.
EU nations have long maintained strict legal provisions to safeguard the personally identifiable information (PII) collected online by businesses and organizations, and GDPR is a new legal means to unify and clarify these requirements. It is important for organizations to understand that the legislation applies to any company that markets goods or services to EU residents and regardless of its location is subject to the regulation. As a result, GDPR will have an impact on data protection requirements globally.
GDPR is lengthy and complicated; the legislation includes 11 chapters and 91 articles which has left many organizations scrambling to add resources and being the arduous process of aligning their processes with the legislation.
Compliance with this new regulation has become a top priority for businesses around the globe for three main reasons: new requirements, increased scope, and strict penalties for noncompliance.
GDPR has created new, significant requirements for businesses to implement comprehensive privacy programs including mandatory privacy by design and data protection impact assessments. The regulation applies not only to EU companies, but also foreign companies processing the data of EU residents.
The penalties for noncompliance can be up to 2% - 4% of annual global turnover or €10 Million to €20 Million, whichever is greater. Businesses large and small around the globe are working feverishly to comply with GDPR in advance of the upcoming deadline this coming May.
— Hitachi Sys Security (@HitachiSysSec) 10 octobre 2017
GDPR contains several key provisions to protect the privacy of EU citizens. The first is notification. Under GDPR, businesses must notify customers and regulators of any data breach within 72 hours of becoming aware of the breach.
Next is a right to access. Under GDPR, EU citizens have the right to ask businesses for confirmation if their personal data is being processed, where the data is being processed, and for what purpose.
Businesses are also obliged to provide a free copy of personal data in an electronic format. The so-called Right to be forgotten is another provision that empowers citizens to have businesses erase their personal data upon request.
Portability is a new provision under GDPR, giving citizens the right to their personal data in a commonly used and machine-readable format, so that it may be passed along to another business. Think for example of retaining phone number when switching provider or carrying over your playlist when switching over from one online music service to the other.
Next is privacy by design – which requires that businesses build systems with privacy built-in.
Finally, businesses can appoint a data protection officer to manage the processes associated with GDPR compliance. Depending on your organization, you might not need to appoint a DPO.
Most notable outside of the 6 requirements outlined above is the general privacy requirements outlined in Article 5 of GDPR. These requirements mandate that personal data shall only be collected for specified, explicit and legitimate purposes, kept accurately and up to date, stored only as long as necessary, and processed in a manner that ensures appropriate security. These broad principles and mandates for processing personal data require a comprehensive approach to data privacy that is currently lacking in many businesses without a mature approach to data privacy.
One specific area of concern for many businesses is the Data Protection Impact Assessment (DPIA).
In Canada, impact assessments are nothing new. They have existed since the 70s and have been mandatory in many situations for years.
Related post: GDPR Compliance in Canada
For Europe, this is a new requirement.
GDPR requires businesses to conduct a privacy assessment for any new high-risk technologies. High-risk means a high risk of negative impact on the individual’s rights and freedom for example when profiling, surveillance, or new technologies are part of your processing operations. The Article 29 working party have adopted an opinion in which they explain the high-risk criteria in more detail. A DPIA helps to assess the risks to personal data. Businesses must document a detailed assessment of the potential impact, including a systematic description of the data processing under review, whether the processing is necessary and proportionate, and any compensating controls in place to secure the operation. These reports are delivered to the EU’s lead Data Protection Authority.
In addition, the national Data Protection Authority adopted black and white lists, identifying situations in which DPIA are always required or not required at all.
The most impactful change under GDPR is its increased geographic scope. Previously, EU laws did not have a clear applicability to international entities. Under GDPR, any business processing the data of EU citizens must be in compliance, regardless of where in the world the data is processed or where the business is headquartered. Non-EU companies that process the personal data of EU citizens now face the daunting challenge of complying with this new regulation.
Under GDPR, the requirements apply to both personal data and sensitive data. Personal data includes any information that can be used to identify a person - anything from a name, bank details, a photo, social media posts, an email address, medical information, or a computer IP address. Sensitive data includes genetic data, information on religious or political views, and sexual orientation. While these definitions of personal data are nothing new, the clarity around the scope of impacted organizations – including those headquartered outside of Europe, processing data outside of Europe – represents an increase in scope and new requirements for many businesses around the globe.
The EU member state is working on implementing legislations for the GDPR and these laws will only be limited in scope since all material provisions from the GDPR will have direct effect.
Unlike in Canada, consent is not the main legal basis to process personal data. In fact, in the EU, 6 legal basis apply to process personal data. One of these is sufficient in itself. The legal basis are the following:
Consent can easily be withdrawn forcing an organization to stop processing the data of an individual immediately. Consent under the GDPR has become much more strict than under current law. It requires a real and a free choice which already makes it complicated to use in an employment context because an employee might feel constraints to provide consent to his or her employer for fear of negative consequences. Apart from choice, the consent needs to be based on full and clear information and it needs to be unambiguous. The time of pre-ticked boxes is over now.
All is all, consent needs to be a clear expression of free will of the data subject.
Previously, the maximum penalty for a privacy-related incident was £500,000. Under GDPR, as suggested earlier, organizations can be fined up to 4% of their annual global revenue, or €20 Million, whichever is greater.
This maximum fine is enforced when businesses fail to have customer consent to process data or violate the Privacy by Design concepts. In addition, a tiered approach is used, with a 2% of revenue fine possible for lesser offenses like failing to maintain sufficient records. This is the main reason that businesses are so concerned with GDPR – the large fine that potentially represents bankruptcy for many organizations.
Many businesses have not started to review and implement the requirements outlined in GDPR, with some studies finding that up to 20% of businesses have still taken no step to prepare for GDPR compliance.
What is most important is to take action as soon as possible.
GDPR has created an urgent requirement for businesses operating in Europe to take privacy seriously. At a time when data breaches make the front page almost weekly, a strict financial penalty for businesses to secure PII may be the incentive necessary for data protection to be prioritized. With the deadline for compliance looming, organizations must take action now in order to implement the required privacy principles in time and avoid the fines and penalties threatened by GDPR.