Today’s post is the first in a series of three posts that we’re going to do on GDPR. Most people will have heard and begun preparing for it, but for those who aren’t up to date I think it would be useful to provide some background. So, GDPR, four letters that have struck fear and confusion into the hearts of executives and risk managers around the world – what is it all about?
GDPR stands for the General Data Protection Regulation. It was created by the EU establishment to expand the protections afforded to citizens by European data protection law, but also to give companies a hand through simplifying the regulatory environment. The regulation will become enforceable starting May 25th 2018, when effectively all national legislation on the subject of data privacy will be replaced with this single, EU-wide law. There is a lot of interesting information in the official text of the regulation, but to save you the trouble of going through hundreds of pages I thought I’d summarise it for you. Here are the thirteen most important changes brought about by the GDPR (for a glossary of terms see the bottom of the page).
- If your business is not based in the EU, you will still have to comply with the Regulation. Indeed this is one of the most important changes the GDPR will usher in. Non-EU organizations that handle EU data subjects' personal data as part of their business processes will face the same consequences for failing to comply with the GDPR. It doesn’t matter if your company is from America, Asia or Australia, GDPR will apply to you too.
- The definition of personal data is broader, bringing more data into the regulated perimeter. Data privacy encompasses other factors that could be used to identify an individual, such as their genetic, mental, economic, cultural or social identity. Companies should take measures to reduce the amount of personally identifiable information they store, and ensure that they do not store any information longer than necessary.
- Consent will be necessary to process children’s data. Parental consent will be required for the processing of personal data of children under age 16. EU Member States may lower the age requiring parental consent to 13.
- Changes to the rules for obtaining valid consent. Consent for collecting personal data needs to be taken very seriously. The consent document must be laid out in simple terms, and silence or inactivity does not constitute consent. Clear and affirmative consent to the processing of private data must be provided.
- The appointment of a data protection officer (DPO) will be mandatory for certain companies. Article 35 of the GDPR states that DPOs must be appointed for all public authorities. In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”. Firms whose core business activities are not data processing are exempt from this obligation. The GDPR does not specify credentials necessary for data protection officers, but does require that they have “expert knowledge of data protection law and practices.”
- The introduction of mandatory privacy risk impact assessments. A risk-based approach must be adopted before undertaking higher-risk data processing activities. In order to analyze and minimize the risks to their data subjects, data controllers will be required to conduct privacy impact assessments where privacy breach risks are high.
- New data breach notification requirements. Data controllers will be required to report data breaches to their data protection authority unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question. The notice must be made within 72 hours of data controllers becoming aware of it, unless there are exceptional circumstances, which will have to be justified. Where the risk to individuals is high, then the data subjects must be notified, although a specific timescale is not specified by the Regulation.
- The right to erasure. Data subjects now have the “right to be forgotten”, a phrase made famous by the European Court of Justice ruling in the Google Spain v. AEPD and Mario Costeja González lawsuit in 2014. The Regulation provides clear guidelines about the circumstances under which the right can be exercised.
- The international transfer of data. Since the Regulation is also applicable to processors, organizations should be aware of the risk of transferring data to countries that are not part of the EU. Non-EU controllers may need to appoint representatives in the EU.
- New data processor responsibilities. Data processors will have direct legal obligations and responsibilities, which means that processors can be held liable for data breaches. Contractual arrangements will need to be updated, and stipulating responsibilities and liabilities between the controller and processor will be an imperative requirement in future agreements. Parties will need to document their data responsibilities even more clearly, and the increased risk levels may impact service costs.
- Data portability. This disposition seeks to enable users to change service providers more easily. Any customer will be able to request a copy of personal data in a format usable by them and electronically transmissible to another processing system. Ideally, the change will make users independent from any one company’s services and stimulate competition among market players.
- Privacy by design. The GDPR contains requirements that systems and processes must consider compliance with the principles of data protection. The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery, but from the inception of the product concept. There is also a requirement that controllers should only collect data necessary to fulfil specific purposes, discarding it when it is no longer required. This aims to minimize the likelihood of data breaches taking places.
- One-stop shop. A new one-stop shop for businesses means that firms will only have to deal with a single supervisory authority, not one for each of the EU’s present 28 member states.
And that concludes our list. I hope you found those key points useful. Join me next week when we’ll look at the main steps you can take to achieve that all important GDPR compliance.
Personal Data = any information relating to an identified or identifiable person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or society of that natural person
Controller = the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purpose and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law
Processor = a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller