EU General Data Protection Regulation (GDPR) - In a nutshell

EU Flags flying in front of building

On 14th April 2016 the European Parliament gave final approval to the enactment of the new EU General Data Protection legislation (EU GDPR). This follows four years of deliberation and debate on these regulations. The reforms will replace the 1995 Data Protection directive that was devised before internet use became widespread. 

As with all EU documentation, it’s a mammoth piece of legislation. We've spoken to our in-house data protection experts to breakdown these regulations into plain English. 

We’re asking the question: What do the regulations mean for business?

New fines

The first thing to remember when considering the new reforms is that there are significant fines for breaches of the regulations.

These fines are presented in two tiers:

Tier One - Up to €10 million or up to 2% of annual worldwide turnover, whichever is higher. 

EU GDPRThis level of fine will be imposed for infringements of the regulations where, for example; no written contract is in place between the controller and the processor of data. It is now the responsibility of organizations that possess and control a subject’s personal or sensitive data to have a clear and concise written contract in place if passing to a third party (a Data Processor).

No contract? There’s a fine coming your way. 

Tier Two – Up to €20 million or up to 4% of annual worldwide turnover, whichever is higher.

This level will apply where, for example; a company doesn’t obtain explicit consent from a data subject for the processing of sensitive personal data. 

Mandatory notification of a Data Breach

This is an aspect that should be of major concern to larger organizations in particular. The regulations state that a controller must notify the Data Protection Commissioner within 72 hours after becoming aware of a data breach. 

It’s important to note that the notification of a breach to a data subject is not mandatory.

However, the Data Protection Commissioner will have the discretion to notify the data subject under the regulation and a data subject must be notified where there is a “high risk to rights and freedoms of the individual involved.” 

So let’s put this in practical terms:

  1. A company (the controller) receives personal data (e.g. a credit card number) from a consumer (the data subject)
  2. The controller provides this information to a third party (in this example, a bank) to which the data subject explicitly agreed to when providing the data
  3. Either the processor or the controller then experiences a breach
  4. The controller must then submit a breach notification to the Data Protection Commissioner within 72 hours of becoming aware of the breach. This is a detailed report: a who, what, where, why and how of the breach
  5. The Data Protection Commissioner then has the discretion to notify the data subject under the regulations in instances where  there is a “high risk to rights and freedoms of the individual” 

Now is the time for organizations to start thinking how they would deal with such regulations if/when a breach occurs. 

Portability of data

As the overall aim of these regulations is ultimately to provide greater control and security to the data subjects the portability of that data must be quick and easy from a data subject’s point of view. 

The regulations propose to introduce a right that would enable data subjects to transfer their personal data in a commonly-used electronic format from one data controller to another without hindrance from the original controller. The aim is of course, to make the transfer process from one service provider to another easier. 

From a practical perspective, this will deter organizations from hindering the transfer of personal data and requires an organization’s control systems be able to extract that data in an acceptable, compatible format.

If your customer demands you transfer their personal data to a competitor, “It’s too complicated” or “Our systems don’t interact” are no longer valid excuses for retaining information. 

Right to erasure

The “right to be forgotten” is now referred to as the “right to erasure” and puts the onus on GDPR in a Nutshelldata controllers to prove that they need to keep data on a subject and not on the subject to prove that the controller doesn’t need it. 

This means that companies will need to take a long, hard look internally at the data that they are storing on their data subjects and ask the question “Do I need this?” 

One point of note is where a particular type of storage technology does not allow for erasure, then the data subject has a right to have the data “restricted” as opposed to erased.

Privacy by Design - the Principle

Privacy by design is one of the most fundamental ideas of the new regulations and one that aims to change the overall attitude and planning towards Data Protection within organizations themselves. 

Article 23 stipulates that data protection should be designed into the development of business processes. This encourages organizations to imprint data privacy into the very fabric of their everyday dealings instead of just adding it as an afterthought to business operations.

In order to get up to speed, organizations need to start fundamentally rethinking Data Protection and reviewing policies and procedures from the ground up. 

How will Privacy by Design work?

Privacy settings need to be set to a high level by default. GDPR Blog

The regulations will force organizations to apply the highest level of privacy principles as standard in all contracts and dealings and explicit consent must be provided by the data subject if deviating from that principle.  

Article 33 states that a Privacy Impact Assessment (PIA) must be carried out when conducting a project where a specific risk occurs to the rights and freedoms of data subjects. 

Data Protection Officers

Some organizations will also be required to appoint a Data Protection Officer (DPO).

This will be tricky for a lot of organizations to implement, as a DPO must be suitably qualified and also independent of the organization. The DPO will also be monitored by the regulator, not the board of directors. Many organizations are opting to outsource this role where possible.