After over three years of discussions, the EU council formally adopted the General Data Protection Regulation (GDPR) on 14 April, which was voted by the European Parliament a few days later. The regulation comes to replace the Data Protection Directive (95/46/EC) that has been in effect since 1995, a time when we were still surfing the web using Netscape Navigator. GDPR was published in the Official Journal of the European Union some weeks ago (May 4th) and it will come into effect on 25 May 2018. But what exactly is the new GDPR, who is affected and what are the required actions for compliance?
The GDPR is a personal data protection law, which imposes a long list or requirements to any EU based organization that controls and/or processes personal data. In addition, the GDPR further extends its scope by also including organizations that are based outside the EU, as long as they offer goods or services to EU residents, monitor their behavior or process their personal data. Note that the ultimate goal of GDPR is to protect the personal data of EU residents, including anyone that lives in an EU country, without necessarily being a EU citizen. The definition of personal data is also extended, and data like IP addresses, device IDs and cookie strings are also considered as personal by the GDPR, along with all the names, ages, contact details, photographs and videos, medical and financial data etc. The regulation exempts the cases where personal data is processed for national security reasons or during law enforcement. Inability of obliged organizations to comply with the GDPR requirements by the end of May 2018 can result penalties up to 20M€ or 4% of their annual global turnover, whichever is greater.
One of the main requirements of GDPR is the obtainment of the data subject’s consent in order to process their personal data. Including a general Terms & Conditions section on their website, which hardly anyone ever reads, will no longer be enough for the obliged organizations. Consent must be freely given, it must be informed, unambiguous and allowed to be withdrawn, where when it comes to sensitive data, consent must also be explicit. In the case of children, parental consent is required. Data controllers must be able to demonstrate that consent was actually given, whenever required.
Another requirement is the guarantee of data quality. The organizations must ensure the accuracy of the personal data that they hold and provide processes so that a person can access and view their own personal data, correct them, erase them or transfer them from one service provider to another.
Under GDPR, data breaches must be notified to the Data Protection Authority (DPA), without delay and within 72 hours after the data breach was detected by the data controller. In cases when the data breach is harmful for the affected data subjects, those must also be notified without undue delay. However, notifications to the DPA are required only in cases when the data breach is likely to result in a risk to the rights and freedoms of the data subjects.
Last but not least, the data controllers are considered accountable to demonstrate their compliance with the requirements of GDPR. Various documentation must be maintained, such as documentation for cross-border data transfers and personal data processing activities that may require the designation of a Data Protection Officer (DPO). An additional data protection impact assessment is required for riskier processing. Furthermore, the data controllers must implement best practices for the protection and security of personal data, which might include data minimization techniques, use of encryption technologies and data anonymization. As part of their accountability, and under certain circumstances (data processing by public authorities, processing that requires systematic monitoring of data subject, large scale processing), data controllers and/or processors might also be obliged to designate a DPO.
Therefore, it is obvious that compliance with the GDPR requires a lot of effort by the data controllers and processors. All the organizations that handle personal data must, first of all, understand the legislation and see if and how they are affected. There may be need for organizational changes, refactoring of current procedures, adaption of new procedures and policies, implementation of “privacy by design”, modifications to the privacy notices, stuff (re)training, and, possibly, preparation of a data protection impact assessment. Two years may seem like a long time but all those preparations can be time consuming. So, if your organization controls or processes personal data of EU residents, you’d better start preparing today rather than sprinting tomorrow.