In April 2016, the European Union approved the General Data Protection Regulation (GDPR). This regulation is a modernized replacement of the Data Protection Directive 95/46/EC, established in 1995. After a two-year transition period, companies must comply with the regulation after its official enforcement on May 25, 2018. Non-compliance will result in heavy fines for organizations.
Key highlights of the GDPR include:
- Increased territorial scope – extra-territorial applicability. The regulation applies to any company that processes personal data of people residing in the EU, regardless of where that company is located. Additionally, data processing does not need to take place in the EU for it to be subject to EU law. The law also requires that non-EU businesses processing the data of EU citizens must appoint a representative in the EU.
- Penalties. Non-compliant companies may face a maximum fine of up to four percent of annual global turnover or 20 million EUR – whichever is greater. Penalties are tiered along the lines of the severity of the infringement.
- Consent. Under this regulation, it will be illegal for companies to continue using long and difficult to understand terms and conditions full of legalese. Requests for consent must be intelligible and easily accessible, using clear and plain language. In addition, it must be as easy to withdraw consent as it is to give it.
The GDPR further grants more rights to data subjects, including:
- Breach notification. Within 72 hours of having become aware of a breach, data processors must notify their customers and controllers without undue delay.
- Right to access. Data subjects have the right to obtain confirmation as to whether personal data concerning them is being processed, where and for what purpose, free of charge.
- Right to be forgotten. A data subject may request to have his/her personal data erased, further dissemination of the data ceased, and the processing of the data by third parties halted.
- Data portability. Data subjects may receive their personal data, which they have previously provided and may transmit that data to another controller.
- Privacy by design. Controllers can hold and process only the data necessary for the completion of its duties and must limit access to personal data to processors.
Under the regulation, public authorities and organizations that engage in large scale monitoring or processing of sensitive personal data must appoint a data protection officer (DPO), who:
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
- May be a staff member or an external service provider
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Must not carry out any other tasks that could results in a conflict of interest.
The new internal record keeping requirements and DPO appointment will be mandatory only for those controllers and processors whose: 1) core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or 2) data features special categories or data relating to criminal convictions and offences.
To prepare for the enforcement of the GDPR, Laurie Fischer, Managing Director of Information Governance at HBR Consulting, suggests companies take the following steps to ensure they comply with the regulation:
- Collaborate with internal stakeholders. Organizations should create a team dedicated specifically to developing and implementing new policies and procedures to support compliance with the GDPR. This team should decide on an overall strategy, what new security measures need to be enacted, a timeline for implementation, and how employees will be trained on new processes.
- Know your data. Companies must familiarize themselves with the GDPR’s broadened definition of “personal data.” Once familiarizing themselves with what data is protected, companies can begin to create practices for managing such information.
- Create a GDPR strategy. After becoming more familiar with the GDPR, companies should establish a GDPR compliance framework. Organizations must ensure that all employees are educated and trained on their roles and responsibilities in regard to the new requirements.