The General Data Protection Regulation is currently the most important piece of legislation on data privacy in the world. It is important because Europe is the world leader in data protection. So where Europe goes, the rest of the world follows. This means that the GDPR will set the global trends for data protection law. The GDPR is also going to have far-reaching compliance effects for anyone doing business in Europe or business involving European citizens. In this article, we give controllers a heads up (in plain language) on what it practically means for them. We answer your important questions.
Who are the role players?
The General Data Protection Regulation regulations involves three parties:
- The data subject: who is a natural person. The GDPR does not provide protection for juristic persons. For example, a citizen of any EU country or of another country.
- The controller: is a natural or legal person. The controller determines the purposes and conditions for the processing of personal data. For example, profit companies, non-profit companies, governments, state agencies and people.
- The processor: is a natural or legal person who processes personal data on behalf of the controller. For example, an IT vendor.
The General Data Protection Regulation places various obligations on the controller, which is the body ultimately responsible for the lawful processing of personal data. Controllers should only use processors that can meet the requirements of lawful personal data processing prescribed by the GDPR.
If you control personal data, you must read this plain language heads up
Who has to comply with the General Data Protection Regulation?
The General Data Protection Regulation applies to any data processing activities done by a controller in the EU. It also applies to all processing of the data of data subjects residing in the EU even if the entity processing the data is not in the EU. So any entity offering goods and services to EU citizens or monitoring their behaviour must comply with the GDPR.
The GDPR even applies to some entities who are not in the EU
When will it come into force?
The EU Parliament finally adopted the GDPR on 14 April 2016 and it is published in the Official Journal of the EU on 4 May 2016. This means it comes into force on 24 May 2016. There is a two-year grace or transition period which will end on 25 May 2018. The old legislation that member states enacted in accordance with the 1995 Directive will probably continue to apply in that two-year transition period until the GDPR comes into force.
You will have to comply by 25 May 2018
Actions you can take
- Empower yourself with practical knowledge by attending a GDPR webinar or GDPR workshop.
- Comply with data protection law by joining a Data Protection Compliance Programme.
- Stay up-to-date with the latest developments by subscribing to our newsletter.
- Find out how we can assist you with privacy and data protection compliance.
- Find a data protection solution for a problem you have or a challenge you are facing.
- Read about the GDPR at the European Commission’s website.
What steps will you have to take to comply?
Controllers must process personal data:
- for a specified legitimate purpose, and
- only for the specified purpose.
Data processing under the GDPR must be lawful, transparent and for a specific purpose
Controllers will have to designate a data protection officer. Some small and medium-sized enterprises (SMEs) are exempt. They will also have to keep documentation about their processing activities.Some controllers outside the EU will have to appoint a representative in the EU.
Controllers will have to implement data security requirements and build data protection safe guards into their products and services from an early stage of development (commonly known as privacy by design).
Controllers must perform a data protection impact assessment (some SMEs are exempt) for their high-risk processing activities. This may require consultation with a supervisory authority in some cases before proceeding. Some controllers will have to get prior authorisation from a supervisory authority.
Controllers must explain to the data subject that they have the right to transparent and accessible policies that explain how their data will be processed. A data subject must be able to interact with the processing process (for example a mechanism for a data subject to request rectification or erasure). Controllers must identify themselves (or their representative) and their data protection officer.
The controller must tell the data subject in a clear and understandable way:
- why they process personal data,
- how long they will store it,
- how to request the rectification or erasure of personal data;
- the right to lodge a complaint and the details of the supervisory authority and
- if the collection of personal data is obligatory or voluntary and the possible consequences if the data is not provided.
How to lawfully process personal data?
It is lawful for a controller to process the personal data of a data subject:
- if the data subject has given their consent,
- to perform in terms of a contract,
- to comply with a legal obligation,
- to protect a data subject’s vital interests,
- if it is in the public interest, or
- if it is in the controller’s legitimate interests.
You must have at least one of these justifications. You can choose any one – it does not need to be consent.
The GDPR is not consent driven. Consent is not a requirement. If controllers get consent from their data subjects, they are going to have to revisit how they get consent and the wording that goes with it.
What are the penalties for non-compliance?
- Organisations in breach of the protection rules could be fined up to 2% of their annual worldwide turnover or €1 million, whichever is higher.
- There are other sets of fines for different infringements, ranging between 0.5% -2% of worldwide turnover or monetary amounts, whichever is higher.
Penalties for non-compliance can be up to 2% of annual worldwide turnover
Transferring data to third countries
The general principle is that data transferred to third countries must comply with the principles of the GDPR. However, provision has been made to enable transfer to third countries that have adequate protection as determined by the Commission. The criteria that the Commission is likely to consider in making the adequacy decision are existence and functionality of the rule of law, judicial redress for breaches of data protection and independent supervision.
If you wish to transfer data to a third country and there is no adequacy decision by the Commission for that country then other appropriate safeguards need to be in place. These safeguards can be standard data protection clauses (contractual protection) or binding corporate rules. The criteria for adequacy decisions remain the same as in the 95 Directive, but the option of using data protection clauses and binding corporate rules in the absence of an adequacy decision is a new element in the GDPR.
Entities can use contractual clauses and binding corporate rules to transfer data to third countries where there is no adequacy decision.
What does it cover?
The General Data Protection Regulation applies to the processing of personal data done either entirely or partially by automated means and where personal data is any information that identifies the data subject.
What is the General Data Protection Regulation going to replace?
The GDPR will repeal all national laws on personal data privacy made by member states. Therefore, any law like the UK Data Protection Act will be a thing of the past. It will also repeal the 95 Directive. The GDPR will be the only law for data protection for all member states. The compliance that the GDPR requires will have a global impact on all businesses involved with Europe and Europeans.
Is it a good law?
The GDPR should make it simpler and cheaper for controllers to do business in the EU. Controllers will only have to deal with one supervisory authority.
There are some problems with it and some have criticised it, but it is too late to try to change it. It has been adopted and it will apply.
It appears that the General Data Protection Regulation goes a long way to create a unified law for member states and greater privacy protection for individuals. Time will tell if it meets its objective of reducing red tape. However, whether it will achieve a completely consistent application of the law throughout Europe remains to be seen. There has also been commentary questioning whether the GDPR is flexible enough to accommodate the rapid developments in technology.