The European Union’s General Data Protection Regulation (EU GDPR) is due to come into force in May 2018, and will provide a single, harmonised data protection law for the European Union. The GDPR aims to safeguard the personal data of EU subjects, regardless of where that data is held or processed, and as such its reach is global.
Are you ready for GDPR? Take our online self-assessment to see how your organisation is prepared for some of the key elements of GDPR. Click the image below to open the assessment in a new window.
Increased Territorial Scope
One of the biggest changes that the GDPR brings is in respect of its reach. Its scope is all EU citizens and therefore it is extra-territorial. In other words it applies to all companies processing the personal data of EU data subjects regardless of company’s location.
Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million, whichever is greater. This is the maximum fine that can be imposed for the most serious infringements e.g. having insufficient customer consent to process data or violating the core principles.
There is a second under which a company can be fined up to 2% of annual global turnover or €10 million for not having their records in order (article 28), not notifying the supervising authority and affected data subjects about a breach or not conducting impact assessment.
It is important to note that these rules apply to both data controllers and data processors - those third party organisations which provide outsourcing services, including "cloud" providers.
Under the GDPR, breach notification will become mandatory where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Privacy by Design
Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At it’s core, privacy by design calls for the inclusion of data protection from the start of process or system design, rather than as a subsequent addition. More specifically - 'The controller shall..implement appropriate technical and organisational measures..in an effective way.. in order to meet the requirements of this Regulation and protect the rights of data subjects'. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
Data Subject Rights
The GDPR defines 8 rights for individuals including:
Right to Access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
Right to be Forgotten
Also known as the right to data erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.
Right to Data Portability
GDPR introduces data portability, the right for a data subject to request a copy of any data held about them and also request that the information be transmitted to another data controller. The regulation doesn't detail specifics for this, only to say that information must be provided in a 'structured, commonly used and and machine-readable format'.