Coming into force on the 25th May 2018, the EU general data protection regulation (GDPR) is the new EU gold standard for privacy, and it has a global reach. But what is the regulation all about?
Who does GDPR apply to?
GDPR applies to any company, regardless of geographical location, that stores or processes personal data relating to an EU citizen. The regulation also widens the definition of personal data compared to previous data protection regulations. Under GDPR, any data that can be used to identify an individual is defined as personal data. This definition now includes data that was previously in a ‘grey area’ such as data relating to genetic code, cultural information, and social information of individuals. Your company must comply with GDPR if it stores or processes any personal data relating to any citizen of the EU.
GDPR therefore has a global reach. Even if your company is based outside of the EU but processes personal data of EU nationals, you are still required to be compliant with GDPR and can still face fines if you fail to comply with it by May 2018.
So, what is GDPR, and how will it affect my company operationally?
GDPR is a new list of rules that companies coming into contact with EU personal data must comply with. GDPR separates companies out into data controllers and data processors; data controllers determine the purpose and means of processing personal data whilst data processors process personal data on behalf of the controller. Under GDPR, data controllers have obligations where a third-party data processor is involved, for example, data controllers must ensure that their contracts with data processors comply with GDPR.
Similarly, GDPR places new specific legal obligations on data processors; data processors will be required to maintain records of personal data processing activities and will have significantly more liability when compared with their current liability should they be responsible for a breach. This is a significant change from the current situation as data processors cannot now claim to be exempt due to them only providing a ‘service’ to the data controllers. Their direct obligations and liabilities also allow actions to be taken directly against them.
Some organisations will now also be required to employ a data protection officer, or DPO. DPOs must be appointed for all public authorities, and where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”, which include data such as racial or ethnic origin, political opinions, religious or philosophical beliefs. DPOs must be ‘experts’ on data protection law and practices and their exact responsibilities are defined in article 39 of GDPR. DPOs also have some rights to help them fulfil their jobs – for example they can insist on company resources to fulfil their responsibilities and for their own personal training.
GDPR also gives EU citizens several rights with regards to their data. The first is the ‘right to erasure’. Previously known as the ‘right to be forgotten’, from May 2018 citizens have the right to ask organisations to delete their personal data (except where this would result in the organisation breaching another law or regulation). The second is the right to data portability – citizens will have the right to transfer their data between service providers if they want to.
GDPR also gives citizens the right to access their personal data and the right to rectification. They will be able to request a copy (in a readable format) of any personal data an organisation may hold about them and if they spot that an organisation has incorrect personal data the organisation must rectify this within one month of the citizen notifying them.
Organisations will also have to be more transparent about how personal data is used. They must disclose to citizens how and when their personal data is collected, how it is processed and which third parties it is shared with. This is a challenge for large multi-national companies who may have supplier lists that run into the thousands – are you able to report which third parties take and process data that your company has collected? If a citizen requests the right to erasure are you able to pass on the request to all the third parties who process that citizen’s data?
One of the biggest implications of GDPR is around a company’s response to a data breach. GDPR defines what data breaches are notifiable and these must be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of the breach. Failing to do so can result in a 10 million euro fine (or 2% of the company’s global turnover, whichever is greater).
What happens if I am not compliant?
Organisations who contravene the regulation and who don’t comply fully can face some very serious sanctions depending on what aspect of the regulation they have contravened. Maximum fines of 20 million euros or up to 4% of the company’s global turnover (whichever is the greater) can be imposed. In addition to this the relevant supervisory authority (the ICO in the UK for example) can issue bans on companies to prevent them from any further processing of personal data.
To prove compliance with GDPR organisations must maintain documentation of their personal data processing activities and ensure that they have kept records of what data they have processed and in what ways the data has been processed. All new products and services created by companies must also be designed from the outset with data protection safeguards built in – privacy impact assessments will also become mandatory in certain cases.
This sounds massive – does it not come with any controversy?
GDPRs huge scope and large impact on any company that processes EU data has led to some controversy and possible challenges in its implementation. The first point of controversy is around the regulation’s territorial scope. Article 3 of the regulation applies to any business that stores or processes the data of an EU citizen, regardless of the geographical location of that business. But how will article 3 be enforced? Can the EU make a business that resides outside of the EU comply with GDPR? And when a business outside of the EU fails to comply how will the EU enforce the sanctions on that company? Will other countries respond with their own borderless regulations?
The second point of controversy is around the ‘Right to be Forgotten’ that GDPR gives EU citizens. Under GDPR, any EU citizen can request that a company that holds data on them must remove it and take reasonable steps to inform third parties of the request to remove the data.
This causes problems in several areas. Can people request that news articles about them be taken down? Is this a breach of freedom of speech? And once the data has been published on the web how is it possible for the company to inform all other sites that may have copied the data to remove it as well?
The third main area of controversy is around the fines and sanctions that may be imposed on companies that do not comply with GDPR. For several violations, the fines are set at two or four percent of global turnover – but why is global turnover being used to calculate the fine? Can the EU impose fines that are calculated using revenues earned from outside of the EU?
But what about Brexit?
The vote that occurred on the 23rd June has raised many questions concerning the applicability and relevance of GDPR to British companies. With Britain now most likely leaving the EU, why would our companies need to be compliant with an EU regulation?
The short answer is because of GDPRs global reach. GDPR applies to any company that stores or processes EU data and as such any UK company that has contact with EU data will need to ensure that it is compliant with the regulation. Thus, Brexit has very little impact on the relevance of the regulation for UK companies.
GDPRs sweeping scope means that it will have a huge impact on all companies that process or store EU citizen data regardless of where in the world they are located. With fines that could reach 4% of a company’s global turnover it is not something that can be ignored.
Organisations need to act now and start reviewing the regulation to see if it is applicable to them they need to start conducting gap analyses to focus their compliance efforts to ensure compliance by May 2018.
This article appeared in the December 2016 edition of Cyber World.