GDPR: An Overview
Technology is changing at a rapid pace, and this has significant consequences for laws and regulations that are in place to protect consumers. The 1995 Data Protection Directive was quickly becoming obsolete; it was created in an era before the Internet was widespread, and lawmakers were unable to foresee how ‘the age of big data’.
Individuals now store an unprecedented amount of information online, and businesses hold tremendous amounts of data on their customers. Countries tried to adapt to this change by introducing laws or regulations that attempted to hold these companies responsible for the data they hold, but often these laws were weak and not robust to further technological developments. As a result, it was mainly up to organisations to implement their data protection strategies.
To combat this problem, in January 2012, the European Commission set in motion plans to reform data protection laws across the European Union to make the law “fit for the digital age”. This process eventually produced the 99 articles of the General Data Protection Regulations, or GDPR. Since its implementation in May 2018, GDPR has already revolutionised the data security landscape across the globe.
It is essential that all organisations that any organisation that handles the personal data of individuals is aware of its requirements to remain fully compliant with its stipulations. The penalties for a violation are substantial; either €20 million, or 4% of the company’s global annual turnover-whichever is higher.
Who is protected by GDPR?
There is much confusion about who’s data GDPR protects. It is commonly believed that GDPR only protects the data of EU citizens. This is incorrect; GDPR protects the data of any individual, regardless of their nationality, who has their data collected while they are within the borders of an EU country. Conversely, GDPR does not apply to the data of EU citizens if the data is collected outside of the EU’s borders.
An example may illustrate this point. If an American citizen is temporarily residing or travelling in an EU country, such as Ireland, and provide personal information during a transaction at a local business, such exchanging some information to use a WiFi service, this personal information is covered by GDPR as the person is located within the EU. The American citizen still has rights over their data even if they travel back to America, as that data was collected in the EU.
Conversely, if an Irish citizen is travelling in America, would not be covered by GDPR. Any data that they provide to an organisation in a similar transaction to above would be subject to American individual data protection laws.
In addition to protecting consumer data, GDPR also grants individuals new rights over their information. These rights include:
Following its introduction in May 2018, GDPR has granted individuals new rights concerning their data. These include, but are not limited to:
- Right of access
- Right of rectification
- Right to object to how their data is handled
- Right to restrict processing
- Right to erasure (Right to be forgotten)
- Right to data portability
- Right to complain to a supervisory authority if they are dissatisfied if how their data is being handled
- Right to be represented by an independent, not-for-profit body when lodging a complaint
Who must comply with GDPR?
GDPR covers any organisation collects or processes data within the EU is subject to GDPR compliance, regardless of where the physical location of their headquarters. Even businesses that only collect or process data through subsidiary or branch of the leading company which is based in the EU must comply with GDPR.
Due to the nature of modern international business, it is clear that GPDR has had a significant impact worldwide. Organisations must comply with GDPR even if the EU is only a small part of the business’s consumer base. GDPR covers all types of organisations, including public agencies, governments, or companies of various sizes.
As a reminder, the EU Member States are: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.
Although the UK is due to leave the EU in March 2019, GDPR was introduced to their laws in May 2018 along with the other member states. Therefore, GDPR will remain a part of UK law after Brexit.
Data Processors, Data Controllers, and Data Protection Officers
Understanding the roles of data processors, data controllers, and data protection officers (DPOs) is critical to becoming compliant with GDPR. Each has a specific role to play in the protection of private data. Here, we give a brief outline of each role.
Data controllers are an organisation that oversees the collection of data. Data controllers have specific responsibilities under GDPR, which include:
- Affording transparency with the data subject as to how they handle their data
- Ensuring that data may easily be translated from one place to another
- Providing evidence to the data subject that they are fully GDPR-compliant
- Ensuring that they can uphold the rights of a data subject
Data processors are defined as a body which processes data on behalf of a data controller. They must:
- Have a pre-arranged contract with a data controller regarding the processing of data
- Ensure that the rights of the data subject are respected
- Adequate safeguards must be in place to protect the integrity of sensitive data
GDPR requires data controllers and processors based within the EU must appoint a DPO to assist in monitoring their internal compliance. The DPO is usually appointed from the organisation ’s staff and must have expert knowledge of data protection laws and practices. If an appropriate individual is not found within the organisation, they may hire a third-party contractor to act as a DPO. However, the DPO may not hold a conflict of interest and must be impartial in carrying out their role.
All large businesses which are covered by GDPR must appoint a DPO. However, if a small business is processing sensitive information, as described in Article 9 of the GDPR, it may be a requirement for them to appoint a DPO too.
The responsibilities of a DPO include:
- ensuring that data is protected to the standard outlined in GDPR
- the education of staff on subject data rights and their responsibilities under GDPR
- advising to senior management regarding GDPR compliant business practices
- monitoring activities across the organisation to ensure they are GDPR compliant
- cooperation with the Lead Supervisory Authority
- assessing IT systems, computer networks and data protection safeguards to ensure they are of the required standard
- notifying data subjects in the event of a data breach
GDPR and US Businesses
The EU-US Privacy Shield Framework was adopted in 2016 and concern the protection of data shared across the Atlantic. The EU has ruled the US privacy laws to be inadequate and below their standards. Therefore, organisations must take extra measures to prove they have ‘adequate safeguards’ in place to protect data if they wish to use the data of EU citizens. The Framework allows private data to be transferred outside of the EU if the recipient organisation is certified by the US Department of Commerce or the EU Supervisory Authority.
Certified organisations must process and use the data following the guidelines set out by the Framework. The US Federal Trade Commission or Department for Transportation is responsible for enforcing these rules. Organisations must conduct an annual review to self-certify that they are compliant with the Framework to prove they are still capable of handling EU data.
It is important to note that being Privacy Shield-certified does not guarantee that an organisation is also GDPR-compliant. Organisations may need to adopt new practices and procedures to comply with the new rules introduced by GDPR.
US companies may be required to hire a local GDPR representative. This role is somewhat comparable to a DPO for EU-based organisations. GDPR requires organisations based outside of the EU, but that collect or process the personal data of EU citizens are required to hire a local GDPR representative based within the EU.
For example, if a US based company sells products to residents based in France, but does not operate through a French branch or subsidiary, they are required to hire a local GDPR representative. In contrast, if a France-based organisation were to do the same thing, they would only need to hire a DPO.
The primary role of an EU Representative is to act as the mediator between the data controller and EU authorities Data Protection Authorities and data subjects. They do not have the same amount.
The primary tasks of an EU representative are:
- responding to any inquiries Eu authorities or data subjects may have concerning data processing
- receiving legal documents for the company as an authorised agent maintaining records of processing activities
- giving data processing records to authorities upon request
Summary: GDPR-Compliance checklist
1) Become familiar with the basics of GDPR and its implications for your organisation
2) Perform a comprehensive audit on data, and assess what data is being held and for what purpose
3) Check that all processes and procedures that involve consumer data are GDPR- compliant
4) Ensure that all consent-obtaining procedures follow the new news
5) Recognise high-risk data and processes as described by Article 9 of GDPR and change business practices to handle this data in a safe and secure manner
6) Have a data breach response plan in place 7) Train staff in GDPR compliance
7) Consult with a data security expert to ensure that your organisation’s security framework is meeting GDPR’s standards