The new EU General Data Protection Regulation or GDPR is meant to standardize data protection laws and strengthen data protection for individuals across the European Union (EU). The new law will apply to any company small or large that collects or processes personal data of any EU resident and regardless of where the organization is based in the world.
The GDPR, approved in April 2016, will be enforced on the 25th of May 2018 and replaces the Data Protection Directive 95/46/EC. Organizations after that time could face heavy fines if found out of compliance.
It may take a few perusals of the new regulation and supporting articles to better understand the terminology. Here are just a few of the most commonly used terms in the GDPR.
“Controller” – An organization, entity or legal person that collects personal data from European Union (EU) residents, regardless of location or country of origin. For example, a controller could be a bank or website operator that determines the purposes and means of the processing of personal data.
“Processor” – An organization, entity or legal person that processes data on behalf of a data controller, such as a service provider (e.g., cloud providers, data centers, document management companies, etc.).
“Data Subject” – A person or individual who resides in the EU.
“Personal Data” – any information used to identify a ‘data subject’ or natural person, via identifiers such as a person’s name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
With that, here are our ten key and favorite takeaways from the new GDPR regulation to include some changes from the previous directive. At the end of this article, we’ve also included some quick references to just a few GDPR articles and brief summaries.
1. Extended Jurisdiction
Perhaps the biggest change is GDPR applies now to all companies processing or controlling personal data of EU data subjects, regardless of the company’s location. This also applies even if processing takes place in or out of the EU, per Article 3 “Territorial Scope.”
Organizations that are out of compliance or in breach of the GDPR can be fined up to 4% of the annual global turnover (aka “revenue”) or 20 million Euros, whichever is greater. GDPR will also use a tiered approach to fines. For example, a 2% fine could be imposed for not keeping records in order or failing to notify supervising authorities and data subjects. Not conducting an impact assessment could also result in fines. See related Article 83.
Conditions for consent have been strengthened. For example, companies must make their terms and conditions much more clear by removing illegible, legal lingo that is hard to understand. Organizations will need to ensure consent is, as stated in the GDPR, “provided in an intelligible and easily accessible form, using clear and plain language.” See related Article 7.
4. Breach Notification Changes
Breach notification will become mandatory in all member states and must be done within 72 hours after the organization first becomes aware of the breach. Data processors will also be required to notify their customers and controllers “without undue delay” as soon as they learn of the breach, per Article 33.
5. Right to Access
GDPR expands data subjects “right to access” or to obtain a confirmation from the data controller on whether or not his or her personal data is being processed, where and for what purpose, per Article 15. Controllers are also required to provide free of charge a copy of personal data in electronic format. The end result is to improve transparency and individual empowerment over their data.
6. Data Erasure
GDPR specifies individuals in EU have the “right to be forgotten” or have his/her data erased, no longer disseminated and potentially no longer processed by third parties. Conditions are outlined in Article 17, such as data that is no longer relevant to original purposes of processing the personal data.
7. Data Portability
A person has the right to receive from the data controller his or her own personal data that was previously provided in a “structured, commonly used and machine-readable format.” A person also has the right to transmit that data to another data controller without hindrance under certain circumstances, as outlined in Article 20 of the Right to Data Portability.
8. Privacy by Design
“Privacy by Design” has been around for a while, but is becoming a legal requirement with the GDPR. It basically calls for the inclusion of data protections in early system design, not just an addition. The European Union Agency for Network and Information Security (ENISA) also provided a report on how data privacy by design and default can be achieved, per Article 25. Privacy by Design and Default should also take into consideration Security of Processing controls as outlined in Article 32, such as data encryption of personal data, availability of personal data and proper testing of security controls to ensure effectiveness, just to name a few.
Data controller organizations must hold and process only the minimum data required to carry out its duties, also called “data minimization.” Organizations must also limit access to personal data to only those authorized to perform processing of the data. See Article 23 for more details.
9. Data Protection Officers (DPOs)
To help cut down on the “bureaucratic nightmare” of having member states having to manage different notification requirements, organizations will no longer be required to submit notifications to each DPO nor have to get approvals for transfers based on Model Contract Clauses (MCCs).
Instead, organizations will have to appoint a mandatory DPO only for controllers and processors “whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or relating to criminal conviction and offenses.” Internal record keeping will also be necessary to meet GDPR requirements. See Article 38 for more details about the DPO and related activities in Article 39.
There is debate over what size organizations would qualify. For instance, the Commission refers to enterprises over 250 employees. Parliament calls for organizations that process data of more than 5,000 data subjects in 12 months. Council does not mandate a DPO unless required by EU or member state law. We will see how this plays out over the next year.
Finally, one of the key drivers behind the new GDPR requirements is the “one-stop-shop” to help simplify and harmonize data protection laws. There has been considerable debate, however, over how to balance between “reducing the red tape” of such harmonization and ensuring the rights of data subjects are secured by the ability of legal redress with appropriate DPA.
Language barriers, lack of sufficient resources and shortage in experienced privacy staff could also cause challenges for companies to implement GDPR effectively.
All in all, the EU GDPR should help improve overall data privacy and could set a higher bar for many organizations to achieve. Achieving GDPR compliance could also add business benefits by gaining additional customer trust. GDPR provides many good business practices that will benefit any company. Look for an upcoming article where we’ll dive a little deeper into recommendations for more specific data security controls to help organizations meet GDPR requirements.
Quick references to related GDPR articles
Some related statements from GDPR articles referred to in this article are provided in part below, but see full GDPR articles for more details.
- “This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”
- Regulation applies to processing activities related to:
- “The offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
- the monitoring of their behavior as far as their behaviour takes place within the Union.”
- “This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.”
- “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
- “If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.”
- “The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.”
- “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”
Article 15 – Right of access by the data subject
- “The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information [see articles for details to include purposes of the processing, categories of personal data, etc.].”
- “Where personal data are transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.”
- “The controller shall provide a copy of the personal data undergoing processing. For any further copies requested by the data subject, the controller may charge a reasonable fee based on administrative costs. Where the data subject makes the request by electronic means, and unless otherwise requested by the data subject, the information shall be provided in a commonly used electronic form.”
Article 17 – Right to erasure (‘right to be forgotten’)
- “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies [see article for details on grounds to include personal data no longer necessary to original purpose of why it was collected, personal data unlawfully processed, etc.].”
- “Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.”
Article 20 – Right to data portability
- “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided…”
- “In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.”
Article 23 – Restrictions
- “Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard [national security, defense, public security, etc. – see Articles for full details].”
Article 25 – Data protection by design and by default
- “Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”
- “The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”
- “An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.
Article 32 – Security of processing
- “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- (a) the pseudonymisation and encryption of personal data;
- (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
- “In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”
- “Adherence to an approved code of conduct as referred to in Article 40 or an approved certification mechanism as referred to in Article 42 may be used as an element by which to demonstrate compliance with the requirements set out in paragraph 1 of this Article.”
- “The controller and processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data does not process them except on instructions from the controller, unless he or she is required to do so by Union or Member State law.”
Article 33 – Notification of a personal data breach to the supervisory authority
- “In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.”
- “The processor shall notify the controller without undue delay after becoming aware of a personal data breach.”
- “The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.”
Article 38 – Position of the data protection officer
- “The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.”
- “The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.”
- “The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.”
- “Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.”
- “The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.”
Article 39 – Tasks of the data protection officer
- “The data protection officer shall have at least the following tasks:
- (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- (b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- (c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
- (d) to cooperate with the supervisory authority;
- (e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.”
- “The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.”
Article 42 – Certification
- “The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account…”
Article 83 – General conditions for imposing administrative fines
- “Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive.”
- “Infringements of the following provisions shall, in accordance with paragraph 2, be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher [see article for specific provisions].”