What is GDPR Compliance?
In May 2018, GDPR compliance will become compulsory for every business or organization that collects, maintains or uses the personal data of EU citizens. The implementation of the General Data Protection Regulation (GDPR) and the subsequent need for GDPR compliance will have a significant impact on how businesses and organizations approach data protection, regardless of their geographical location.
However, to best answer the question “What is GDPR compliance”, a good place to start is with an explanation of the distinction between an EU Directive and an EU Regulation – an EU Directive being a general set of guidelines EU member states can base their own national laws around, whereas an EU Regulation is EU-wide legislation that all member states have to comply with and is enforceable by law.
GDPR is an EU Regulation. It replaces the previous 1995 EU Data Protection Directive and standardizes data protection laws throughout the European Union. The Regulation gives businesses and organizations operating in multiple EU member states a uniform set of rules to work within and resolves issues that could not have been foreseen in the 1995 Directive – such as data processing in the cloud.
The Key Points of the GDPR Data Protection Rules
The key points of the GDPR data protection rules include a comprehensive definition of what constitutes personal data, the rights of individuals to know how their personal data is being used, what personal data can be collected under the GDPR data protection rules, and how businesses and organizations obtain each individual´s informed consent to collect, maintain or use the individual´s personal data.
Businesses and organizations reviewing their GDPR compliance efforts should take careful note of how they obtain each individual´s informed consent. Personal data can only be collected, maintained or used if an individual has given their consent by a recordable affirmative action. The individual must be told before giving their consent what the data will be used for and their right to withdraw their consent.
GDPR Compliance and the Rights of Individuals
Any business or organization that collects, maintains or uses an individual´s personal data without their informed consent – or that fails to delete the data after an individual withdraws their consent – is in breach of GDPR, and there are many other rights of individuals that businesses and organizations should take into account when reviewing their GDPR compliance. These rights include (but are not limited to):
- The right of individuals to access stored personal data.
- The right of individuals to rectify errors in their personal data.
- The right of individuals to know how their personal data will be used.
- The right of individuals to know how long their personal data will be stored.
- The right of individuals to know with whom their personal data is being shared.
- The right of individuals “to be forgotten” and have any stored personal data permanently deleted.
- The right of individuals to know the source of their personal data if informed consent was not given.
In order to comply with the GDPR data protection rules for the rights of individuals, businesses and organizations will have to revise their data collection, storage and processing mechanisms to ensure personal data can be isolated, extracted and permanently deleted as required. Systems will also have to be put into place to verify the identity of individuals who exercise their GDPR rights.
Ensuring GDPR Compliance and Data Protection Officers
Among the GDPR data protection rules there are numerous measures that have to be taken to ensure GDPR compliance. In brief, businesses and organizations have to comply with the “accountancy principle”, provide clear and transparent privacy policies, and conduct GDPR data protection impact assessments to identify risks to the integrity of personal data.
Businesses and organizations will be expected to implement procedures to address any risks to the integrity of personal data and put comprehensive governance measures in place to ensure the procedures are being adhered to. In many circumstances it will be necessary to conduct GDPR compliance training and larger organizations will have to appoint a Data Protection Officer.
The role of a Data Protection Officer is to act as an advisor and monitor GDPR compliance. He or she will be responsible for managing internal data protection activities, advising on GDPR data protection impact assessments, training staff and conducting internal audits. He or she will also be the first point of contact for Data Protection Authorities (see below) and individuals wishing to exercise their GDPR rights.
EU Penalties for Non-Compliance with GDPR
Most EU member states already have Data Protection Authorities. Their role is to enforce national data protection laws and impose penalties for the unauthorized disclosure of personal data. Under GDPR, Data Protection Authorities will be given the power to conduct GDPR compliance audits and impose penalties for non-compliance – even when a breach of personal data has not occurred.
Penalties for non-compliance with GDPR can vary widely depending on the nature of the violation, the volume of records disclosed without authorization, and the efforts made by the business or organization to mitigate a breach of personal data. In worse case scenarios – and even when the authorized exposure of personal data has been accidental – the penalties for non-compliance with GDPR are substantial:
- Non-compliance with the Regulation´s security standards can result in a fine of up to €10 million or 2% of global annual turnover – whichever is the higher.
- Non-compliance with the Regulation´s privacy standards can result in a fine up to €20 million or 4% of global annual turnover – whichever is the higher.
Further Penalties for Failing to Comply with GDPR
Further penalties for failing to comply with GDPR can be imposed if a business or organization fails to report the unauthorized exposure of personal data to its Data Protection Authority within seventy-two hours of the exposure being discovered. The business or organization may also be charged with a criminal offence depending on the national law of the EU member state.
If the unauthorized exposure of personal data is likely to result in the affected individual(s) potentially suffering identity theft or fraud, financial loss, discrimination, damage to reputation or other significant economic or social disadvantage, the breach also has to be notified to the individual(s) whose data has been exposed. This can result in a personal compensation claim against the business or organization.
An exception to the requirement to inform individuals – but not Data Protection Authorities – exists when the exposed personal data has been encrypted and is unusable by the person who has accessed it. In this scenario, the Data Protection Officer will have to prove to the Data Protection Authority that the compromised data was kept securely prior to the breach.
- The EU General Data Protection Regulation comes into force on 25th May 2018 and applies to every business or organization – within or outside of the European Union – that collects, maintains or uses the personal data of EU citizens.
- With regard to what constitutes personal data, any characteristic that has the potential to identify or single out an individual is considered to be personal data. This includes online identifiers such as cookies.
- Individuals must use an affirmative action to give their informed consent for the collection, storage or use of their personal data. The manner in which the informed consent was given must be recorded and retained.
- Individuals have extensive rights to control how their personal data is collected, maintained or used – including the right “to be forgotten”. Systems will have to be implemented to prevent GDPR fraud.
- Businesses and organizations will have to implement clear and transparent privacy policies, conduct risk assessments and introduce procedures to ensure the integrity of personal data. In some cases it may be necessary to employ a Data Protection Office.
- Penalties for non-compliance with GDPR can be enforced even when no breach of personal data has occurred. The size of the penalty will depend of what actions have been taken to mitigate the unauthorized exposure of personal data.
- Businesses and organizations should familiarize themselves with the GDPR Breach Notification Rule and the sanctions that can be applied for failing to notify the appropriate authorities within seventy-two hours.
This GDPR summary provides an overview of the issues discussed above. We have taken reasonable precautions to ensure the content of this material is compiled with the facts as are available at the date of publication. However, we accept no responsibility for errors or omissions in our GDPR summary. Businesses and organizations concerned about GDPR compliance should take professional legal advice.