Replacing the Data Protection Directive 95/46/EC, the GDPR is designed to protect all EU citizens from privacy and data breaches and to manage how organisations deal with data privacy.
It applies to all companies that process the personal data of individuals who live in the EU. This is regardless of the location of the company.
The rules apply to both data controllers, those who say how and why personal data is processed, and data processors, acting on the controllers behalf. If you are currently subject to the Data Protection Act 1998 (DPA), then it is likely that you will also be subject to the GDPR.
Penalties for non-compliance will be up to 4% of annual global turnover or €20 million, whichever is greater.
What are the requirements of the legislation?
The GDPR has far reaching impacts on business that will be bound by the new regulation in terms of Data Subject Rights. Key elements include:
Breach notification – A GDPR breach notification will be mandatory where a breach is likely to “result in a risk for the rights and freedoms of an individual”. Any breach must be reported within 72 hours. Fines will be imposed for failure to notify about a data breach.
Right to Access – Individuals have the right to obtain confirmation if data about them is being processed, where and for what purpose. The data controller will be responsible for providing an electronic copy of the personal data to the subject, free of charge.
Right to be Forgotten – The data subject is entitled to have his or her personal data erased by the data controller. The cessation of further dissemination of their data and potentially stopping the processing of the data by third parties can also be requested.
Data Portability – This gives the subject the right to receive their personal data that they have previously provided in a commonly used and machine readable format, and have the right to transfer this data to another controller.
Privacy by Design – Data protection must be included at the design stage of systems, rather than being treated as an addition. Data controllers are responsible for only holding and processing the necessary data in order to complete its duties. They must also limit access to personal data to those required to process it.
Data Protection Officers – The GDPR requires internal record keeping requirements to be met. The appointment of a Data Protection Officer (DPO) is necessary for controllers and processors if the core activities involve frequent and systematic monitoring of individuals on a wide scale or using certain categories of data or criminal convictions and offences data. Public authorities (except for courts acting in their judicial capacity) must also appoint a data protection officer.
GDPR Accountability and Governance
Accountability and transparency form a significant part of the GDPR. Organisations are expected to implement governance measures that are both comprehensive and proportionate to their activities to comply with the EU regulations. Although some organisations may already have good practice tools and a data protection policy in place to manage governance, the GDPR is likely to mean new procedures for many organisations.
The accountability principle which forms part of the new regulation means organisations must be able to demonstrate that they comply with the principles. The ability to demonstrate GDPR compliance covers a variety of tasks including:
- The implementation of technical and organisational measures that ensure and demonstrate compliance. This can include reviews of policies and processing activities and staff training.
- Maintaining accurate documentation on any processing activities.
- Appointing a Data Protection Officer if applicable.
- The implementation of measures to meet data protection by design and data protection by default requirements.
- Introduction of data protection impact assessments where applicable.
When does the GDPR come into force?
Enforcement date for the GDPR is 25 May 2018. By this time, organisations who are non-compliant will face heavy fines. The UK government has confirmed that Brexit will not affect the commencement of the GDPR, so UK companies must still comply or they will be subject to the penalties.