What is GDPR?
General Data Protection Regulation (GDPR) is a data privacy regulation adopted by the European Parliament in April 2016. It is being enforced on May 25 2018 across all companies that conduct/process business in the EU and deal with personal data. The primary purpose is to protect EU citizen’s data privacy and to guide the way forward in terms of businesses attitude/practices around data privacy. Following the enforcement date, class action lawsuits and heavy fines may apply to businesses that are not compliant.
How is personal data defined?
Personal data is defined as any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, physical address, phone number, bank details, social networking posts, medical information, or a computer IP address.
Furthermore, parental consent will be required to process the personal data of children under the age of 16 for online services.
Who needs to be compliant?
The wording from authoritative sources differs slightly on this subject.
The Office of the Australian Information Commissioner (OAIC) states: “Where a business has ‘an establishment’ in the EU”, GDPR will apply.
The governing European body more loosely states on EUGDPR.org that “GDPR applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
More broadly speaking, GDPR applies to companies offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU.
What are the penalties for non-compliance?
Companies found to be in breach of GDPR may be fined up to 4% of annual global turnover or €20 Million (whichever is greater). There is a documented tiered approach to identify and match appropriate breach levels within fines accordingly. Penalties apply to both data controllers (eg applications) and processors (eg cloud services).
Will we need to appoint a Data Protection Officer (DPO)?
A DPO must be appointed if a company’s core activities consist of processing operations which require regular and systematic monitoring of users on a large scale or of special categories of data or data relating to criminal convictions and offences. The DPO:
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices
- May be a staff member or an external service provider
- Contact details must be provided to the relevant Data Protection Act (DPA).
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Must not carry out any other tasks that could results in a conflict of interest.
It sounds like our company needs to comply. How might this impact our day to day operations?
- Breach Notification: A data breach that is likely to “result in a risk for the rights and freedoms of individuals” must be notified to regulators within 72 hours (3 days) of first having become aware of the breach.
- Consent: Rules concerning consent have now been strengthened. User consent obtained via terms and conditions can no longer be buried amongst excessive legal jargon/terminology. Clear/plaintext language must be used, and consent must be just as easy to withdraw as it is to give it. Active consent must be given (i.e. silence, pre-ticked boxes or inactivity does not constitute consent).
- Right to access: Users may request confirmation of whether personal data concerning them is being processed, where the data is, and for what purpose. The data controller must provide a copy of the personal data, free of charge, in an electronic format.
- Right to be forgotten: Effective data erasure processes must be in place. This applies when the data is no longer relevant to the original purposes, or a user withdrawing consent
- Data Portability: Users may request their data, and have the right to transfer that data to another data controller
- Privacy by design: Data controllers should only hold and process personal data that’s absolutely necessary for the intended purpose, as well as limiting access to only those that need it
- Reasonable protection of personal data: Companies must provide a “reasonable” level of protection for personal data. The definition of “reasonable” is interpretable and may differ from business to business.