The EU General Data Protection Regulation (GDPR) in Europe, which came into force on the 25th May 2018, brought significant changes compared to the Data Protection Directive 95/46/EC involving operational changes in organisations. As a result, organisations have since needed to be extremely aware of changes then, now and in the future as they can face very strict fines for failure of GDPR compliance.
The most important change in data privacy regulation in 20 years, GDPR is a regulation issued by the European Commission, the European Parliament and the Council of the European Union with the goal of improving and maintaining data protection for individuals within the EU.
With this regulation, the EU aims to give its citizens more control over how their personal data is used as well as provide businesses with a clearer legal structure with which to operate by standardising across the EU.
Who is impacted?
The GDPR applies to controllers and processors that are handling the personal data of European individuals. Perhaps one of the most important things to note is that this new regulation applies to ALL organisations collecting and processing personal data of individuals residing in the EU, regardless of the company’s physical location.
The different roles between controllers vs. processors are defined as:
Controller – “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”.
Processor – “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
In short, a data controller specifies how and why personal data is processed, while a processor conducts the actual processing of the data. The controller is responsible for ensuring their processor abides by data protection law.
Why one in four UK businesses CANCELLED preparations for GDPR — A misunderstanding arose around the enforcement of GDPR post-Brexit.
However, processors also must follow the regulations and maintain records of their processing activities.
What does the GDPR entail? How to be compliant
Extended jurisdiction – Regulations will apply to any business or entity that processes personal data, as part of the operations of at least one of its branches based in the EU, regardless of where the data is processed.
Consent – Organisations will be required to obtain individual’s consent to store and use their data as well as explain how it is used.
Mandatory breach notification – Organisations are required to notify the supervisory authority within 72 hours of discovering a data breach, with all late notifications needing to be “accompanied by reasons for the delay”.
Right to access – Companies must be able to provide a copy of private records to individuals requesting what personal data the organisation is processing, where their data is stored and for what purpose.
Right to be forgotten – EU citizens will be able to request the controller to not only delete their personal data but to stop sharing it with third parties – which are then also obligated to stop processing it.
Change is coming: the GDPR storm — More on how the GDPR legislation has impacted business operations, here.
Data portability – EU citizens have the right to transmit data from one controller to another “without hindrance from the controller to which the personal data have been provided”. As a result, upon request, organisations must be able to provide an individual’s personal data in a “commonly used and machine readable format”.
Data privacy by design and by default – Privacy by design and default is also a legal requirement in GDPR. This means that controllers must effectively “implement appropriate technical and organisational measures, such as pseudonymisation”, in order to maintain data protection, and use of such data only for the purposes initially documented.
Data protection officers (DPO) – Many data controllers and data processors are required to appoint a DPO – who can either be a contractor, new hire or a member of the organisation’s staff.
It is important to note that not all companies are obliged to have a DPO. Particularly, this aspect of the legislation applies to cases where:
- processing is actioned by a public authority or body, except for courts acting in their judicial capacity;
- core activities of the controller or processor include duties which, by virtue of their nature, scope and/or purposes, require monitoring of data subjects on a large scale;
- the core activities of the controller or processor include processing on a large scale of data relating to deomgraphic or sociographic factors, including race, gender, religion and political beliefs.
Consequences of non-compliance
For non-compliance, organisations may receive a warning in the case of likely infringement; or a reprimand, temporary or definitive ban on processing, or a fine of up to €20m or 4 per cent of the total annual worldwide turnover.
GDPR implementation: challenges and opportunities ahead — The balance required between innovation and compliance.
How can compliance cut costs?
While getting to full compliance can be difficult and complicated, once full compliance is achieved, organisations will likely see significant benefits – especially for larger corporations looking to enter new markets.
Since data protection regulations are the same throughout the EU, organisations don’t need to consult local lawyers to ensure local compliance with GDPR, which has resulted in cost savings and legal certainty.
GDPR: What do you need to know? — Here’s what to know about GDPR compliance.
Businesses affected must identify what data is stored and processed for European citizens; its location; its path from point A to B; and by what systems is it processed.
By doing this, you can understand if your organisation has the required tools to protect private data, or it will shed insight onto the tools you may need to support your organisation in achieving GDPR compliance.
Conducting an audit and investing in solutions like data loss prevention can help get you to compliance faster. Treat compliance with GDPR as a project and get a lawyer to ensure you adhere to all guidelines.
What the draft EU AI Act means for regulation — Information Age speaks to EU data protection, intellectual property and technology experts about the business implications of the EU AI Act.
Benchmarking global readiness for the GDPR — How has GDPR been standing up worldwide?