- What is the GDPR and what does it stand for?
GDPR stands for General Data Protection Regulation also referred to as Regulation (EU) 2016/679. GDPR replaces the existing protection directive that was introduced in 1995 and has been created by the European Parliament, the Council of the European Union, and the European Commission to strengthen and unify data protection for all residents of the European Union.
Additionally, GDPR addresses data protection rules for personal data export outside of the European Union. It also enforces EU data protection laws to guide foreign organizations that process personal data pertaining to residents of the European Union.
In the case of a data breach, both the company and the outsourcing provider can be held liable and penalized heavily. Therefore, both the data controller (company) and the data processor (outsourcing services provider) should strictly adhere to the guidelines laid down by the General Data Protection Regulation (GDPR).
- When does GDPR come into effect?
GDPR was approved by the European parliament in April 2016. After a two-year transition period, GDPR will be in force for all organisations that handle the data of EU residents from the 25th of May 2018.
- What is the purpose of GDPR?
The primary purpose of GDPR is to define standardised data protection laws for all member countries across the European Union.
- Increase privacy and extend data rights for EU residents.
- Help EU residents understand personal data use.
- Address the export of personal data outside of the EU.
- Give regulatory authorities greater powers to take action against organisations that breach the new data protection regulations.
- Simplify the regulatory environment for international business by unifying data protection regulations within the European Union.
- Require every new business process that uses personal data to abide by the GDPR data protection regulations and Privacy by Design rule.
- Who does the GDPR apply to?
Similar to the Data Protection Act, GDPR applies to company data controllers and data processors. If you are the controller, the GDPR places additional emphasis on meeting contractual obligations with the processor to ensure they comply with GDPR. As a processor, the GDPR requires you to maintain records of all processing activities and personal data use. This increases the legal liability for processors in the event of a breach.
GDPR does NOT apply to specific activities such as processing under the Law Enforcement Directive, the processing is done by individuals for personal or household matters, any processing carried out for the purpose of national security.
- What type of information applies to GDPR?
Like the Data Protection Act, the GDPR rules apply to personal data. However, the GDPR extends the scope of what is considered personal data such as an IP address that acts as an online identifier.
The GDPR rules also apply to sensitive data which uniquely identifies a specific individual. This includes categories such as genetic or biometric data.
- According to the EU, What constitutes personal data?
Under GDPR, the definition of personal data has been much simplified to ‘any information relating to an identified or identifiable person.’
According to the European Commission, personal data constitutes “Any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.”
- Does GDPR apply to companies outside of the EU?
Yes. Similar to UK compliance post-Brexit, GDPR regulations apply to foreign companies outside of the EU that collect, process and hold the personal data of EU residents, regardless of their location.
- 9 Key changes under GDPR
- A single set of data protection rules will now apply to all EU member states. In addition, increased territorial scope means that GDPR will apply to all companies that process the personal data of EU residents, regardless of their location.
- ‘Right to be forgotten’ – also known as Data Erasure. EU residents will have the right to request that personal data relating to them is erased. This could be based on a number of grounds that include non-compliance, data no longer being relevant to its original purposes, or data subjects withdrawing consent.
- ‘Right to access’ – Data subjects will have the right to obtain confirmation from the data controller whether or not their personal data concerning them has been processed, where it has been processed and for what purpose.
- Data Breach notifications will become mandatory in all member states – in the instance that the data breach is likely to “result in risk pertaining to the rights and freedoms of individuals.
- Consent rules are changing and opt-in requirements for obtaining personal data are stricter. The conditions for consent have been strengthened, as companies will no longer be able to utilize long illegible terms and conditions full of legalese. Organisations are required to ensure that consent is clear, distinguishable and provided in an easily accessible form with the purpose of the data processing disclosed and attached to the consent. It must be just as easy to withdraw consent as it is to give it.
- ‘Privacy by Design’ – Now part of a legal requirement with the GDPR, Privacy by Design calls for the inclusion of data protection from the onset of the designing of systems, instead of just being an addition.
- Data Controllers and Data Processors will be required to conduct privacy risk impact assessments for projects that have high privacy risks.
- Data processing activity notification rules are changing. Under GDPR it will no longer be necessary for Data Controllers to submit notifications/registrations of data processing activities to local Data Protection Officers. In addition, it will no longer be a requirement to notify/obtain approval for transfers based on the Model Contract Clauses (MCCs). This will be replaced by an internal record-keeping requirement. There is an exception to this.
- The new Accountability Principle in Article 5(2) requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.