The European Union on April 26th 2016 adopted the General Data Protection Regulation 2016/679 (commonly known as GDPR) to strengthen, protect and unify the use by foreign companies of personal data of individuals residing within the European Union by foreign companies. The GDPR empowers individuals to control their personal data and ensures a strict compliance by Non-EU companies to these regulations with severe penalties for non-adherence. GDPR comes into force on May 25th 2018.
For the purpose of this regulation, Data Controller is defined as an entity that determines the purposes, conditions and means of the processing of personal data while Data Processor is the entity that processes data on behalf of the Data Controller.
Summary of changes brought by GDPR for organizations
1. Compliance with the Regulation even if the business is not physically located in the European Union
a) Any company that works with information relating to EU citizens will need to comply with the requirements of the GDPR, making it the first global data protection law.
2. Expansion in definition of Personal Data
a) Data privacy encompasses other factors that could be used to identify an individuals, such as their genetic, mental, economic, cultural or social identity. Companies should take measures to reduce the amount of personally-identifiable information they store, and ensure that they do not store any information for longer than necessary.
3. Changes in rules for obtaining a valid consent
a) Companies need to ensure that they use simple language when asking for consent to collect personal data. They need to be clear about how they will use the information. Silence or inactivity does not constitute consent; clear and affirmative consent to the processing of private data must be provided.
b) In the future, it will be more important than ever for companies to explain exactly what personal data they are collecting and how it will be processed and used. Without valid consent, any personal data-processing activities will be shut down by the authorities..
4. Consent required for processing children’s data
a) Parental consent will be required for the processing of personal data of children under age 16. EU Member States may lower the age requiring parental consent to 13.
5. Mandatory appointment of a Data Protection Officer (DPO) for certain companies
a) GDPR states that data protection officers must be appointed for all public authorities (administrative branches of governments). In addition, a DPO will be required where the core activities of the controller or the processor involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”.
b) Firms whose core business activities are not data processing are exempt from this obligation.
6. Mandatory introduction of Privacy Risk Impact Assessments (PIAs)
a) The GDPR requires data controllers to conduct PIAs where privacy breach risks are high to minimize risks to data subjects.
b)This means that, before companies can even begin projects involving personal information, they will have to conduct a PIA and work with the DPO to ensure they are in compliance as projects progress.
7. New data breach notification requirements
a) Data controllers will be required to report data breaches to their data protection authority unless it is unlikely to represent a risk to the rights and freedoms of the data subjects in question. The notice must be made within 72 hours of data controllers becoming aware of it, unless there are exceptional circumstances, which will have to be justified.
b) Where the risk to individuals is high, then the data subjects must be notified, although a specific timescale is not specified by the Regulation.
c) Regular supply chain reviews and audits will be required to ensure they are fit for purpose under the new security regulation.
8. The right to be forgotten
a) This means companies will have to obtain fresh consent before they can alter the way they are using the data they have collected.
9. The international transfer of data
a) Because the Regulation is also applicable to processors, companies should be aware of the risk of transferring data to countries that are not part of the EU. Non-EU controllers may need to appoint processors in the EU.
10. Data Processor responsibilities
a) Data processors will have direct legal obligations and responsibilities, which means that processors can be held liable for data breaches. Contractual arrangements will need to be updated, and stipulating responsibilities and liabilities between the controller and processor will be an imperative requirement in future agreements. Parties will need to document their data responsibilities even more clearly, and the increased risk levels may impact service costs.
11. Data Portability
a) Data portability will allow a user to request a copy of personal data in a format usable by them and electronically transmissible to another processing system.
12. Privacy by design
a) The GDPR contains requirements that systems and processes must consider compliance with the principles of data protection. The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery, but from the inception of the product concept.
b) There is also a requirement that controllers should only collect data necessary to fulfill specific purposes, discarding it when it is no longer required, to protect data subject rights.
13. One-stop shop
a) A new one-stop shop for businesses means that firms will only have to deal with a single supervisory authority, not one for each of the EU’s 28 member states, making it simpler and cheaper for companies to do business in the EU. This will also have a positive impact on Internet service providers with offices in several EU countries.
Important Notes:
All companies that process the personally identifiable information of EU residents will be required to abide by a number of provisions as stated above or face significant penalties after May 25th 2018.
The Regulation mandates considerably tougher penalties than earlier legislation: breached companies can expect fines of up to 4% of annual global turnover or €20 million – whichever is greater.
RightWave assists its customers in complying with international regulations that impact digital marketing. For more information, contact RightWave.