The EU’s new data protection regulation, known as the GDPR (General Data Protection Regulation), can impact your organisation significantly in the way it is handling personal data. Your organisation will not only be responsible for ensuring compliance with the regulation in terms of handling and protecting personal data, it could even be penalised for non-compliance and it will be liable for any damage resulting from data breaches. The General Data Protection wants to harmonise the data protection regulations throughout the EU and to strengthen and unify data protection. It addresses personal data security for EU citizens and individuals within the EU, but regulates also export of personal data outside the EU. The Commission’s primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The regulation was adopted on the 27th of April 2016. It enters into application on the 25th of May 2018 after a two year transition period and will replace the current data protection directive 95/46/EC from 1995. Unlike a directive, it does not require any enabling legislation to be passed by governments.
Legal & Regulatory roles and obligations
Awareness (value, costs, risks, compliance, architecture)
Maturity and vision
Impact on business model
The GDPR will supersede all current national data protection laws in the EU. Here is an overview of the main expected changes that organisations will have to be aware of and adapt to:
Expanded territorial reach
The GDPR applies to organisations and their subcontractors outside the EU. This means in practice that a company outside the EU, that is targeting consumers in the EU, will be subject to the GDPR.
Accountability and Privacy by Design
The GDPR makes organisations fully accountable for demonstrating compliance. This includes requiring them to document compliance, conduct data protection impact assessments for risky data processing and implement data protection by design and by default in their operational processes.
A data subject’s consent to processing his or her personal data must be given freely, and for sensitive data explicitly, either by a statement or a clear affirmative action stating agreement to the processing. Consent can be withdrawn at any moment. The organisation is required to be able to demonstrate that consent was given.
Data Breach Notification
Organisations must notify data breaches to the Data Privacy Authority. This must be done without delay and, where feasible, within 72 hours of awareness. A substantiated justification must be provided if this timeframe is not met. The organisation must notify the affected data subjects without delay when their data has been compromised.
Role of subcontractors
One of the key changes in the GDPR is that subcontractors have direct obligations. This includes implementing technical and organisational measures and notifying your organisation without delay of data breaches.
The GDPR establishes penalties for breach imposing fines for infringements of up to 4% of annual worldwide turnover on data breach and up to 2% of annual worldwide turnover on non-compliance.
Data Protection Officer (DPO)
In specific circumstances organisations or subcontractors must designate a Data Protection Officer. The DPO will need sufficient expert knowledge. The DPO may be employed or under a service contract.
Right to be forgotten
Individuals can require their personal data to be erased without undue delay by the organisation. A good example is where they withdraw consent and no other legal ground for processing applies.