The General Data Protection Regulation (GDPR) is now a fact of life for any company that gathers and processes the personal data of European Union citizens. It is not just EU companies and organisations that must conform; data-collecting entities around the world will have to deal with the new rules.
(Image credit: Wu Yi)
General Data Protection Regulation Overview
So what is this new European regulation, why does compliance matter, and to whom? As of May 2018, the EU is enforcing the articles of the GDPR and imposing penalties for non-compliance. The GDPR was formulated to satisfy the following objectives:
- Modernise the legal framework for data governance. When the existing law was published in 1995, surfing was something to do at the seaside, telephones were tethered to wall sockets, and data was stored on paper in filing cabinets.
- Put citizens back in control of their data. The consensus among EU policymakers is that US tech giants have been getting away with abusing personal data for too long. Consumers should know what happens with their data and have access to it. They should have control to give consent or decline the use of their personal data.
- Force companies to be proactive in minimising the risk posed by data breaches, privacy violations, and identity theft. History shows that companies are inclined to ignore cyber threats until they face real financial losses or damage to the reputations of their brands.
- Create uniformity of rules in EU countries. Replace 28 laws with one and facilitate a level field of play for businesses operating across national borders within the EU.
A discipline for good data governance
The GDPR comprises 99 articles that are binding and enforceable as law. The value lies in the discipline of the legal framework defined in the articles. The regulation encourages best practices that protect commercial entities from their own worst tendencies.
Without firm boundaries, companies ignore good practice for short-term gains. These propensities can be disastrous for brands and corporate reputations if left unchecked.
The threat that is the power behind the GDPR lies in the severe penalties that it stipulates for compliance failures. Fines will only be limited to the higher of €20 million or four percent of the violator’s global revenue.(Photo credit: Sebastian Pichler)
Is your organisation a data controller?
Data controllers are any companies, charity organisations, or government agencies that hold the personal data of EU citizens. Companies that process the same data on behalf of data controllers must also comply with the regulation. That third-party accountability means that cloud-based service providers face the same responsibilities and penalties regardless of their locations in the world.
Start-ups, established Software-as-a-Service companies, and internet-connected data storage facilities are all liable for the personal data they collect and hold. The GDPR mandates that they must appoint Data Protection Officers (DPOs), and set data governance policies and practices that keep in compliance.
The frameworks that led to the GDPR
The GDPR builds on the Data Protection Directive (EU Directive 95/46/EC). In 1995 the directive harmonised the data protection regulations within Europe. This Data Protection Directive did not have the same powers as the GDPR, but it did create the foundations for the new regulation.
The Organisation for Economic Co-operation and Development (OECD) established the principles for personal data protection, which the EU and US endorsed in 1980. The Data Protection Directive grew out of the principles and recommendations of the OECD guidelines.
The Data Protection Directive established Data Protection Authorities (DPAs) for each member state. The role of national-level DPAs has continued under the GDPR. They supervise how data controllers handle and transfer data within the EU and beyond its borders.
(Photo credit: Artem Sapegin)
The eight principles that inspired the GDPR
The GDPR draws on the same eight principles for the processing of personal data, as the 1995 directive. In summary, the principles are:
1. Collection limitation
There should be legal limits on how companies collect personal data. Data collectors should only acquire personal data that is essential to business needs. If the outcome can be achieved without personal data or with anonymous data only then personal data should not be used.
2. Data quality
Data should be accurate and relevant to its use.
3. Specified purpose
Data controllers must specify the purpose of data collection at the outset and only keep the data as long as it satisfies that purpose.
4. Use limitation
The use of the data should be limited to the specified objective and not reuse it for other projects. Access should be restricted to those employees that actively need it.
5. Security safeguards
Data controllers must proactively consider the risks of unauthorised access, modification, or disclosure. They should integrate data protection into the key points involved in data processing, storage, and transfer.
Policies and practices that relate to personal data should be transparent. Data controllers should inform end users and subjects. They must keep internal records up to date and make them available promptly when regulators request them.
7. Individual participation
Data subjects should have unfettered access to the data that controllers hold about them.
It is the responsibility of Data controllers, as organisations, to comply with all of the principles above. They should ask and answer the questions of what data they have, where is it, why they hold it, and how long they should keep it. Data controllers also have formally defined roles of who is responsible within the organisation.
GDPR defines the rights of data subjects
The personal data covered under the regulation is any information about people who are citizens of EU countries. The articles of the GDPR put the eight OECD principles into practice by establishing the rights of data subjects:
- Data controllers must obtain an affirmative opt-in from subjects before they can gather personal data.
- Data subjects have the right to know about the existence of their data and have access to it at no charge.
- Once the original purpose of the data has ended, Data controllers are obliged by the GDPR to delete it.
- Data subjects have the right to demand that data controllers delete their data.
- Subjects also have a right to data portability, which means they can move their data from one controller to another at will.
Data controller responsibilities
Data controllers have the primary responsibility for implementing policies and practices that comply with the articles of the GDPR. The burden remains even if the data controller delegates the work to some third-party data processor.
The regulation recommends pseudonymisation of personal data as a method to extract the statistical and analytical value without revealing individual identities. However, data controllers are still accountable for the pseudonymous data.
Data breach notifications
Data controllers must report breaches to the supervising authority within 72 hours of first becoming aware of the event. Data processors have a similar obligation to notify data controllers of breaches.
In the case of any event that could cause harm to a data subject, Data controllers must notify them too. Data controllers can only waive this notice if they have encrypted the data to be unusable without a valid key to decipher it.
(Photo credit: Piotr Gaertig)
DPOs and proper data governance
Proactive data governance is fundamental to successful GDPR compliance. Data governance is the discipline that provides organisations with the framework for becoming more competitive and data-driven than ever before.
The regulation states that any organisation that gathers or monitors personal data regularly must appoint a Data Protection Officer. It is the responsibility of DPOs to assure proper data governance, oversee data compliance, and report to senior management. Additionally, DPOs are responsible for communicating with employees and data subjects and responding to their concerns.
Finally, Data Protection Officers must be prepared to respond to delegated acts of the European Commission in the coming years. The regulation gives the Commission powers to adopt delegated acts regarding icons and certification mechanisms.
There are few GDPR enforcement exceptions
Again, it is worth emphasising the broad coverage of the GDPR. The only exceptions are small companies that may pick up protected data occasionally.
Any organisation that gathers, monitors, or processes personal data as a part of its core activity must comply with the regulation. Organisations with more than 250 employees must prepare to comply with the GDPR.
GDPR and the future of data protection
The world is now fully immersed in the information age. Geographical boundaries mean little to data that flows around the globe. In the last few years, reports of data abuses and cyber crimes show just how vulnerable data.
The broad scope of the GDPR means that it is likely to set the standard for privacy and data security legislation in other regions. In any case, as enforcement begins, data collectors everywhere and their third-party collaborators must be prepared to practice data governance and stay in GDPR compliance.