The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to bring together the current fragmented approach to data privacy laws across Europe. Its main aim is to introduce a regime whereby firms adopt an approach to protect EU citizens’ data privacy.
After four years of preparation and debate the GDPR was finally approved by the EU Parliament on 14 April 2016. It was adopted in early May 2016 and the deadline for compliance was set for May 2018.
The official enforcement date is 25th May 2018. By this time all firms processing personal data on EU citizens will need to comply or face heavy fines. It is billed as the most important change in data privacy regulation in over two decades.
Some FAQs to explain the key points surrounding the new regulation.
When is the GDPR coming into effect?
GDPR was approved and adopted by the EU Parliament in April 2016. The regulation will take effect after a two-year transition period and, unlike a Directive, it does not require any enabling legislation to be passed by government; it will be enforced in May 2018.
With Brexit on the horizon, should a UK firm still continue with GDPR planning and preparation?
Yes. If you process data about EU citizens with regards to selling goods or services you fall within the scope of the new GDPR rules, so you need to comply. However, if your activities are within the UK only, then we are still unsure on the exact position. We expect an equivalent set of rules to be implemented within UK law. Bear in mind the UK fully supported GDPR through its inception to passing the final legal hurdles to become what it is today.
Who does the GDPR affect?
The scope within the EU is clear. All firms who process personal data are impacted. There is concern regarding extra territorial impact of the new rules. If you are a firm outside the EU and offer goods or services to EU citizens you are in scope. Therefore, ALL companies processing and holding such personal data, regardless of location should be implementing compliance.
What are the penalties?
Firms can be fined up to 4% of annual global turnover for breaching GDPR or up to the maximum fine of €20 Million. The maximum fine will be imposed for breaches where firms process customer data without their consent etc. The set of penalties will be imposed in a tiered approach such as penalising a firm for 2% of global revenue for not having their records in order, or not notifying the supervising authority and individual about a breach.
Will Cloud storage be exempt?
It is important to note that GDPR rules apply to both controllers and processors which clearly indicates that ‘clouds’ will not be exempt from GDPR enforcement.
What types of data is covered?
Information related to a natural person that can be used to directly or indirectly identify the person. Such as a name, a photo, email, bank details, social media posts, medical information, or even an IP address.
What is the difference between a data processor and a data controller?
A controller is a firm that determines the purposes, conditions and means of the processing of personal data.
A processor is an entity which processes personal data on behalf of the controller.
Do data processors need ‘explicit’ consent?
The conditions for consent have been strengthened. The request for consent must be clear from other matters and provided in an intelligible and easily accessible form, using clear and plain language. Firms also have to ensure it is easy for individuals to withdraw consent.
Explicit consent Vs unambiguous?
Explicit consent is required only for processing sensitive personal data whereby only an “opt in” will suffice.
Unambiguous consent will be sufficient for non-sensitive data, “unambiguous” consent will suffice.
What about individual(s) under the age of 16?
Parental consent will be required to process the personal data of children under the age of 16 for online services.
What is the difference between a regulation and a directive?
A regulation is a binding legislative act. It must be applied in its entirety across the EU as it is originally written. Member states do not have the option to interpret it based on their local supply of goods and services. A directive permits individual countries to decide how to implement.
Which firms need to appoint a Data Protection Officer (DPO)?
DPOs must be appointed in the case of: local authorities, firms that undertake large scale systematic monitoring, or those firms that engage in large scale processing of sensitive personal data. If your organisation does not fall into one of these categories, then you do not need to appoint a DPO.
Data breaches which may pose a risk to individuals must be notified to the DPA within 72 hours and to affected individuals without undue delay.