The deadline to comply with the European Union’s General Data Protection Regulation (GDPR) is just around the corner. In this article, we summarize the key points that you need to know about the GDPR and how to acheive GDPR compliance.
What is the GDPR?
The GDPR (General Data Protection Regulation) is a new European Union regulation which replaces the old Data Protection Directive (95/46/EC). The purpose of the GDPR is to consolidate data privacy laws across Europe with the objective of protecting all EU citizens from privacy and data breaches. The GDPR was approved by the EU Parliament on 14 April 2016 and following a two-year implementation period, comes into force on 25 May 2018.
When is the deadline for GDPR compliance?
As mentioned above, the GDPR comes into force on 25 May 2018 and companies/organizations have to comply with the GDPR with effect from the 25 May 2018.
What information does the GDPR apply to?
The GDPR applies to ‘personal data’, i.e., information which helps in identifying a natural person. Personal data includes the following information:
- An identification number
- Location data
- One or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
- Any online identifier, which could include social media posts, IP address etc
The GDPR also applies to sensitive personal data which includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, data concerning health or sex life and sexual orientation, and genetic data or biometric data.
Who does it apply to?
The GDRP applies to:
- all companies processing the personal data of individuals residing in the European Union, regardless of the company’s location.
- all data processors and controllers not established in the EU, where the activities relate to offering goods or services to EU citizens (regardless of the place of payment).
- all potential customers who are EU citizens.
What is a data processor and controller?
A data controller is an individual or a legal person who determines the purposes for which and the means by which personal data is processed. So, if your company/organization collects or retains personal data or decides why and how the personal data should be processed, it is the data controller. Note that employees processing personal data within your organization also fall under your company’s role as a data controller.
A data processor processes personal data on behalf of the controller. The data processor is usually a third-party external organization who processes the data on behalf of the controller. In the case of group companies, one entity may act as processor for another entity.
Both data controllers and processors are liable for any breaches of data privacy, and therefore a third-party external organization not in compliance with the GDPR would expose you to potential liabilities under the GDPR. As such, data processors are required to report any data breaches to the data controller and a data controller must maintain an appropriate procedure for reporting data breaches.
What is the penalty for non-compliance with the GDPR?
Organizations in breach of the GDPR can be fined up to 4% of the annual global turnover or 20 million Euros (whichever is greater).
What are the individual’s rights as per the GDPR?
The GDPR’s key elements include the following rights:
- Consent: organizations dealing with EU citizens may no longer use illegible terms and conditions for data privacy. The request for consent to be provided must be clear and accessible in plain language, with the purpose for the data processing attached to the consent
- Breach notification: where data is likely to result in a risk for the rights and freedoms of individuals, data processors will be required to notify their customers, without undue delay upon becoming aware of the breach
- Right to Access Data: individuals have a right to request where their data is being processed, and if so, they shall have the right to know the location of the data and its purposes. A confirmation must be provided to the individual if requested, free of charge
- Right to be Forgotten: individuals have the right to erase their personal data from the system and may withdraw their consent for their data to be used
- Data transferability: individuals have a right to receive data concerning them, and have the right to transfer the data to another controller
- Privacy by design: data controllers must ensure to include data protection at the commencement stage, when creating their systems, as opposed to including measures for data protection as an added element. Only the data which is absolutely necessary must be maintained and controlled by the controllers
- Internal Record Keeping Requirements: each organization shall be responsible for maintaining its own record related to data privacy. The appointment of a local data protection officer shall only be mandatory when monitoring individuals on a large scale or data relating to criminal convictions
What can I do to comply with the GDPR?
Here are 10 action points for you to achieve compliance with GDPR:
- Review and amend your data privacy policies
- Review client contracts and amend them to reflect the regulatory changes
- Send appropriate communication to your third-party external organizations who process personal data to ensure that they are GDPR compliant as well
- Conduct training sessions with your employees on how to comply with the GDPR
- Understand what data you hold and how it is stored – review data storage procedures
- Ensure you have appropriate data management and security policies which enables you to protect or erase customer’s data as per their right
- Depending on the amount of personal data you process, you may consider appointing a Data Protection officer
- Ensure that you have received express consent to collect and retain personal data of clients, particularly EU citizens
- Establish a procedure for reporting a breach
- Create an implementation plan for complying with the GDPR so that you have an audit trail of measures taken to comply with the GDPR
If you require assistance in complying with the GDPR including drafting appropriate policies and amending your existing contracts, please do not hesitate in getting in touch with us.