If your company is obtaining and/or storing data from clients who are residing in the EU – no matter whether this processing is done within the EU or outside – it will be affected by the provisions of the General Data Protection Regulation (GDPR). So what is the GDPR and how will your business be affected?
This Regulation deals with the processing of ‘personal data’ which is basically any personal information that by itself can identify a person, such as an ID or social security number but also data that in conjunction can identify a person, like for example having a customer’s address plus their date of birth. Thus, businesses processing any information from their customers who are located in the EU, such as name and last name, phone numbers, date of birth, copies of their IDs, addresses, and many more, are impacted by the GDPR.
While there are other measures currently in place, such as the Data Protection Directive of 1995; by the end of May 2018 the General Data Protection Regulation will become enforceable, which means that the Supervisory bodies may start imposing fines on those companies that are not compliant.
This new Regulation is a major development in the data protection area as it amends and adds several features that were not present before - such as very high fines in cases of infringements - so read on to find out more:
[Disclaimer: this is not binding advice as we're not lawyers but it's a good place to start reading]
Main changes and additions:
1. Territorial scope
The GDPR's jurisdiction is more encompassing than that of its predecessor: it applies to all the companies processing data belonging to EU residents, no matter whether the processing is being carried out in the EU itself or not. This means that it would apply also to European companies that process the data outside of the EU and to non-European companies that also process data belonging to EU residents.
2. Penalties that apply
While according to the Data Protection Directive the Member States had the task of imposing 'suitable measures', the GDPR sets out clear penalties: it can impose up to 20 million euro fines or 4% of the annual turnover of a company (the higher one will be the maximum). The different categories of fines - based on their level of severity - are set out on Article 83 of the Regulation; the most severe ones are under subsections 5 & 6.
This Regulation makes it express that consent must be given unequivocally, meaning that in cases of checkboxes, they cannot be pre-selected (allowing for people to inadvertently accept) and must be written in a clear manner. The latter meaning that a request for consent cannot be bundled up with other information. It is also important to clearly explain how to 'take back' such consent (for example, by explaining how to unsubscribe).
4. Data protection officers
The GDPR introduces this new position whose role is to supervise the implementation and the compliance of a company with the GDPR by advising controllers and processors of their obligations and to report to the authorities when requested. A DPO is only required in certain cases such as when processing is being carried out by a public body or authority; where a company's activities require regular and systematic monitoring of data subjects on a large scale or when the data processing of a company relates to criminal convictions and offences.5. Data subject rights
- Right to access: customers can request to find out whether a company has any information regarding them and if so, what information, for what purpose and the location where the processing is happening. If a customer requests to obtain this information that is being kept on them, the company will have to provide it within a timeframe of 30 days.
- Right to rectification: according to Article 16, customers can ask for any inaccurate data a company has of them corrected or to have any incomplete data updated. As with the right to access, the timeframe for this is of 30 days.
- Right to be forgotten: this right implies that customers can request to have their information deleted from the system and to stop any further processing from happening. For example, an individual could contact a retailer and request that they delete their account and any information they may have on them. However, the right to be forgotten has certain conditions (which can be found under Article 17), like the personal data not being any longer necessary for the purposes for which they were collected.
- Right to object: Article 21 introduces the right for customers to object to companies processing their personal data. If the company does not have a legal basis to be processing said information (for example, if this were a requirement by law), then it will have to stop.
- Data breach: customers have the right to be informed when there has been a breach in the system and their data has been exposed within 72 hours of said breach. Thus, when a company's system has been put at risk or when customer data has been stolen, the relevant company has the obligation of letting these people know of what happened within 72 hours of becoming aware.
6. Privacy by design
Although this concept is not a new one - it was first introduced by the Canadian Information and Privacy Commissioner Ann Cavoukian - the GDPR includes it as an obligation in its Article 25. The goal is that the organizations take into account data protection since the beginning, like when they start designing their systems. Part of this 'by design' means that data protection will be included 'by default' and take a proactive approach, meaning that the companies should not wait until there is data at risk but instead take preventive measures.
Use the form below to subscribe to our blog for the next chapter of this series, which will explain what your next steps as a company should be to start being GDPR-compliant.