GDPR Compliance: The Next Big Compliance Issue

Circle May 25^th, 2018 on your calendar if you’re doing business in the European Union (EU) or have customers in the EU. Starting that day, any organisation (inside or outside of the EU) collecting personal data on any EU citizen will be subject to the EU’s General Data Protection Regulation (GDPR), otherwise known as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.  GDPR was ratified in April 2016 with a two-year implementation period for EU member states to implement it into their national laws. Here’s a brief primer on GDPR compliance and what it means for organisations doing business with EU citizens.

What does GDPR do?

Among other things, the GDPR seeks to accomplish these goals:

• Extend the scope of the EU data protection law to ALL foreign companies processing the data of EU residents (regulating the export of personal data outside the EU)
• Harmonize (standardize) data protection regulations throughout the EU, making compliance easier for non-European companies (unifying/providing equivalent data protection standards) while also insuring the free flow of personal data between member states
• Provide strict penalties up to 4% of worldwide turnover or twenty million euros for non-compliance (strong enforcement)

The GDPR replaces the 1995 data protection directive (officially Directive 95/46/EC) which had resulted in fragmentation in the implementation of data protection across the EU.

Who does GDPR apply to?

The GDPR covers personal data collected for data subjects (residents) based in the EU. It applies to the following organisational types that collect or process personal data on EU residents.

• Data controllers residing in the EU –Organisations that collect personal data from EU residents
• Processors residing in the EU – Organisations that process personal data on behalf of EU Data Controllers, including cloud providers
• Organisations outside the EU who collect or process personal data of EU residents

It’s worth noting that there’s a separate EU legal act covering personal data for law enforcement activities, the execution of criminal penalties, and the prevention of threats to public safety, all of which are not covered under the GDPR.

GDPR compliance also doesn’t apply to personal data associated with deceased persons. Member states are free to make their own rules regarding how to process the personal data of deceased persons.

What personal data does the GDPR apply to?

The definition of personal data covered under the GDPR covers “…any information relating to an identified or identifiable natural person, whether that data relates to his or her private, professional, or public life.” This includes:

• Identifiers, such as name, home address, email address, photos, identification numbers
• Social media postings
• Medical information
• Indirect information that can be directly traced back to an individual, such as their physical, physiological, genetic, mental, economic, cultural or social identity information
• Location data
• Online identifiers, such as IP addresses and cookies, that can be linked back to the data subject

GDPR makes no distinction between an individual’s public, private, or work roles. Data about individuals in any of their roles is covered by the regulation.

Fines and enforcement for GDPR compliance failure

The GDPR significantly expands the penalties that regulators can impose for organisations that do not comply with the new regulations. Two different penalty levels can be assessed for different types of violations.

For record keeping, security, breach notification, and privacy impact obligation violations, penalties can be issued up to ten million euros or up to 2% of the total annual worldwide turnover of the preceding financial year, whichever is higher.

Violations relating to the legal justification for processing, lack of consent, data subject rights, and cross-border data transfers can result in penalties of up to twenty million euros or up to 4% of the total annual worldwide turnover of the preceding financial year, whichever is higher.

The details to GDPR compliance

While a complete review of regulation details is beyond the scope of this post, there are a number of critical implementation areas that must be covered by any organisation implementing GDPR. These areas include:

• The regulation states that “…appropriate  technical and organisational measures be taken to ensure that the requirements of this regulation are met.”
• Organisations must design data protection safeguards into their products and services, including pseudonymisation/encryption of personal data.
• Record keeping for compliance and for improving the organisational capabilities to improve privacy and data management.
• Ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
• Requirements to notify supervisory authorities of a data breach in a timely manner, within 72 hours. If the organisation is unable to notify within 72 hours, an explanation for the delay must also be filed and the notification must occur without undue further delay.
• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
• A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Giving and withdrawing consent to process personal data

GDPR compliance requires that consent must be given by individuals for all processing activities carried out for the same purpose or purposes. Per the GDPR, “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her…” Consent can be given by a written statement, electronic means, or by an oral statement.

Key elements of giving and withdrawing consent include:

• Safeguards must be put in place to ensure that the data subject is aware that consent has been given and the extent to which the consent is given.
• The data subject should be “…aware at least of the identity of the controller and the purposes of the processing for which the personal data is collected.”
• Consent is not considered freely given if the data subject has no free choice in the matter or is unable to withdraw or refuse consent without detriment.
• A data subject should be able to withdraw their consent.
• A data subject has the right to have his or her personal data “erased” and no longer processed when the personal data is no longer necessary, the subject has withdrawn his or her consent, the subject objects to the processing of their personal data, or where the processing does not comply with the regulation.

Where processing is based on the data subject’s consent, the controller should be able to demonstrate consent has been given to the processing operation.  There are also several other requirements for areas that must be made clear to a data subject regarding their rights under the regulation. Individuals also have the right to access information regarding how their data is processed.

Just the start

GDPR compliance is a complicated, with significant responsibilities for any organisation collecting and processing the personal data of EU residents. Today’s post is just a brief overview primer on the main elements of GDPR. If you’re doing business in the EU, make sure to review the entire regulation to understand the finer points of GDPR compliance and to understand the new obligations and risks your organisation will assume when GDPR goes into effect on May 25, 2018.