EU General Data Protection Regulation (GDPR) - In a nutshell

The first thing to remember when considering the new reforms is that there are significant fines for breaches of the regulations.

These fines are presented in two tiers:

Tier One - Up to €10 million or up to 2% of annual worldwide turnover, whichever is higher. 

This level of fine will be imposed for infringements of the regulations where, for example; no written contract is in place between the controller and the processor of data. It is now the responsibility of organizations that possess and control a subject’s personal or sensitive data to have a clear and concise written contract in place if passing to a third party (a Data Processor).

No contract? There’s a fine coming your way. 

Tier Two – Up to €20 million or up to 4% of annual worldwide turnover, whichever is higher.

This level will apply where, for example; a company doesn’t obtain explicit consent from a data subject for the processing of sensitive personal data. 

This is an aspect that should be of major concern to larger organizations in particular. The regulations state that a controller must notify the Data Protection Commissioner within 72 hours after becoming aware of a data breach. 

It’s important to note that the notification of a breach to a data subject is not mandatory.

However, the Data Protection Commissioner will have the discretion to notify the data subject under the regulation and a data subject must be notified where there is a “high risk to rights and freedoms of the individual involved.” 

So let’s put this in practical terms:

1. A company (the controller) receives personal data (e.g. a credit card number) from a consumer (the data subject)
2. The controller provides this information to a third party (in this example, a bank) to which the data subject explicitly agreed to when providing the data
3. Either the processor or the controller then experiences a breach
4. The controller must then submit a breach notification to the Data Protection Commissioner within 72 hours of becoming aware of the breach. This is a detailed report: a who, what, where, why and how of the breach
5. The Data Protection Commissioner then has the discretion to notify the data subject under the regulations in instances where  there is a “high risk to rights and freedoms of the individual” 

Now is the time for organizations to start thinking how they would deal with such regulations if/when a breach occurs. 

As the overall aim of these regulations is ultimately to provide greater control and security to the data subjects the portability of that data must be quick and easy from a data subject’s point of view. 

The regulations propose to introduce a right that would enable data subjects to transfer their personal data in a commonly-used electronic format from one data controller to another without hindrance from the original controller. The aim is of course, to make the transfer process from one service provider to another easier. 

From a practical perspective, this will deter organizations from hindering the transfer of personal data and requires an organization’s control systems be able to extract that data in an acceptable, compatible format.

If your customer demands you transfer their personal data to a competitor, “It’s too complicated” or “Our systems don’t interact” are no longer valid excuses for retaining information. 

The “right to be forgotten” is now referred to as the “right to erasure” and puts the onus on data controllers to prove that they need to keep data on a subject and not on the subject to prove that the controller doesn’t need it. 

This means that companies will need to take a long, hard look internally at the data that they are storing on their data subjects and ask the question “Do I need this?” 

One point of note is where a particular type of storage technology does not allow for erasure, then the data subject has a right to have the data “restricted” as opposed to erased.

Privacy by design is one of the most fundamental ideas of the new regulations and one that aims to change the overall attitude and planning towards Data Protection within organizations themselves. 

Article 23 stipulates that data protection should be designed into the development of business processes. This encourages organizations to imprint data privacy into the very fabric of their everyday dealings instead of just adding it as an afterthought to business operations.

In order to get up to speed, organizations need to start fundamentally rethinking Data Protection and reviewing policies and procedures from the ground up. 

How will Privacy by Design work?

Privacy settings need to be set to a high level by default. 

The regulations will force organizations to apply the highest level of privacy principles as standard in all contracts and dealings and explicit consent must be provided by the data subject if deviating from that principle.  

Article 33 states that a Privacy Impact Assessment (PIA) must be carried out when conducting a project where a specific risk occurs to the rights and freedoms of data subjects. 

Some organizations will also be required to appoint a Data Protection Officer (DPO).

This will be tricky for a lot of organizations to implement, as a DPO must be suitably qualified and also independent of the organization. The DPO will also be monitored by the regulator, not the board of directors. Many organizations are opting to outsource this role where possible.