EU GDPR: General Data Protection Regulation
What it is and how it will disrupt data management and privacy.
“…a major step towards a Digital Single Market. It will remove barriers and unlock opportunities.” Andrus Ansip, Vice-President for the Digital Single Market
What it is
European Union’s General Data Protection Regulation was designed as a replacement of the current Data Protection Directive 95/46/EC. It has the purpose of re-conciliating country-specific and sometimes conflicting European data privacy laws.
Most importantly, it aims at changing the way organisations that operate in the EU or that collect personal data from the Union’s citizens, approach data privacy.
Empowering citizens regarding their personal data is one of the main objectives pursued through the Regulation.
As a regulation, the GDPR must be immediately applied across the Union, unlike a directive, that must be transposed by each member state into the national law.
Who is responsible with the process
Officially, there are 5 main European authorities responsible with the legislative process, and mainly:
3 Authoritative bodies
2 Advisory bodies
Projected time-frame
As with any process, there is a lengthy process from proposal to implementation. The European Commission issues a proposal, which then goes to the Parliament and the Council for rejection, adoption or further amendments.
If there are any amendments to be made, the three bodies meet for the so called Trilogue negotiations.
The General Data Protection Regulation was first proposed by the Commission in January 2012, and suffered the first amendment by the Parliament in March 2014, followed by the second amendment in June 2015. Having existed amendments, the Trilogue meeting was held on the 24th of June 2015.
At present, the regulation is undergoing the normal legislative procedure, after an agreement regarding its contents having been reached in the informal negotiations phase (Trilogue), on the 15th of December 2015, and it was published and adopted on May 4th, 2016.
GDPR entered into force on the 5th of May 2016, and European Union member states must transpose it into their national law by 6th of May 2018.
Here is a more detailed GDPR timeline.
“Citizens and businesses will profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation in a European Digital Single Market.” Věra Jourová, Commissioner for Justice, Consumers and Gender Equality
What it means for individuals
- Regarding consent, people will have to receive the consent form in an easily accessible and intelligible form, containing the purpose of data processing.
- They will have the right to withdraw their consent as easily as they gave it, this being particularly relevant for subjects who have given their consent as a child, or were not fully aware of the risks involved by processing.
- In addition to this, people will also have “The right to be forgotten”, or data erasure, which means that the company processing and holding his data will be obliged to delete it all, including copies. This obligation is extended to third parties that have access to that data.
To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps, tak
- Citizens will have the right to be informed about a data breach that affected their personal data in maximum 72 hours from the data holder becoming aware of the breach.
- Individuals will have the right to access information that contains a list specifying which data is being processed and the purpose of the data collection and management.
- People will have the right to data portability, which means transmitting their personal data to another data controller.
What is means for companies
- There will be a single set of rules throughout the European Union, which will cut costs of doing business in the EU. They will only have to report to one supervisory body.
- Companies that hold and manage data will be forced to inform the citizens about the data they are collecting and its purpose.
- They will have the legal obligation to inform users in the event of a data breach in maximum 72 hours from the moment they found out.
- Data controllers will have to provide an electronic copy of all personal data free of charge, at request.
- At the request of the users, companies must erase all their personal data , stop collecting it and have third parties delete it as well.
- Also at citizens’ request, data must be transmitted to another entity, at users’ choice.
- Companies will have to design their systems with privacy in mind, rather than adding them. This mean that they must do all efforts to protect the privacy of their users.
- Data controllers will hold and process data only if it is absolutely necessary for the completion of their duties.
- They will also have to restrict access to this data from those who might act out.
- Companies whose main activity consist of processing data systematically obtained by monitoring data subjects at a large scale or special types of data or data related to criminal activity, will need to have in place a Data Protection Officer (DPO). The DPO will have to respect the internal record keeping requirements.
- GDPR will have to be respected by both companies that originate from Europe, but, also those offering services to EU citizens.
What The Fines Are
The approach towards fines is a two- tiered one, fines being imposed based on a list of points that include the nature, gravity and duration of the infringement.
The maximum fines can go up to 4% of the company’s annual global turnover, or €20 Million, whichever is higher. These are applied in the cases when the data subjects’ rights have been infringed, such as the cases when data has been processed without a legal basis, or cross-border transfers have been performed.
Other infringement could attract fines of up to 2% of the annual worldwide turnover or €10 Million, whichever is greater. This is applied for example when companies cannot prove they have adequate security, haven’t appointed a DPO, or haven’t established a data processor agreement.
The relevant provisions on data security are contained under Articles 5 and 32 of the Regulation.
How you should be preparing
1. Put in place an accountability framework that will prove you meet the required standards.
2. Design your product with privacy in mind, not add it later.
3. Establish clear policies and procedures in the event of a data breach, so you can notify people in time.
4. Verify your privacy policies and notices, so that it is easy to understand and accessible.
5. Be prepared for citizens to exercise their newly-gained rights, often with unrealistic expectations.
6. If you are carrying out cross-border data transfers, including intra-group one, make sure you have a legitimate reason for transferring personal data to jurisdictions that don’t have adequate data protection regulations.
EU GDPR will disrupt data collection and management as we know it today, bringing privacy to a whole new level.
18 months until the directive is fully enforced might seem like a lot, but setting up a business that fully adapts to the new regulations is often a lengthy process. Therefore, it’s important to start preparing as soon as possible, as it will come with a whole range of changes to EU data protection legislation.
