The General Data Protection Regulation (GDPR) is a European Union “Regulation” which serves to protect the personal data of anyone in the EU. So if you are a EU citizen or simply live, work or travel through the EU then you and your personal data are in scope. The term “Regulation” means that once the GDPR was published in May 2016, it instantly became law in all 28 EU member states. This differs from an EU “Directive” which each country interprets into its own law. A regulation is implemented verbatim, ensuring a level of consistency across all EU members.
From May 2016, the GDPR entered into a 2 year transition period, giving organisations time to understand the new regulation and ensure compliance. This means that on May 25th 2018, the GDPR will be enforced and must be complied with.
The spirit of the GDPR focuses on protecting the individual, not applying controls onto companies like many other regulations. This means that as a European, your personal data is protected by the GDPR, even if a non-European company is managing it. Imagine an American airline selling flights to people in the UK. The airline must ensure it complies with the GDPR, even though it is solely based in the US. If you touch European data, you need to protect it as per the GDPR, wherever you are from globally.
The GDPR builds on the 1995 European Data Protection Directive, which each EU country interpreted into its own data protection laws, e.g. the UK 1998 Data Protection Act. These country specific laws are now mostly superseded by the GDPR, creating a harmonisation of laws across the continent.
Whilst the content of the GDPR is extensive, there are a number of key highlights worth focusing on:
- Enhanced Rights – The Data Subject (that’s us Europeans with data to be protected) has even greater rights than before, with direct control over the usage, retention and movement of their personal data. This includes the right to erasure, also known as the right to be forgotten, and also the right to portability. The notion of portability allows data subjects to access their personal data that controllers are holding, and have it sent to another controller such as a rival pension provider. Rights to consent are now much tighter, with controllers generally needing to provide greater detail of what processing is to be performed along with unambiguous opt-in style consent. Additionally, opting out and removing consent should be made very simple. The Data Subject is now much more in charge of their data. [More info on Subject Rights]
- Fines and Penalties – If you fail to comply with the GDPR then the costs can be huge. The maximum “administrative” fine that a regulator can impose is 20 million Euro or 4% of annual turnover of the parent company. Contrast this with the UK’s current maximum fine of £500,000 under the Data Protection Act and you can see that the GDPR comes with a very big enforcement stick. These fines are purposefully high in order to be “effective, proportionate and dissuasive.” Additionally, data subjects themselves and collective groups have the right to take Controllers to court and sue for damages. In many large breaches, a class action lawsuit would be more costly to the controller than any administrative fines from the regulator.
- Breach Notifications – If a data controller has a breach of personal data, depending on the severity of it they have 72 hours (from the point of detection) in which to notify the regulator and potentially the affected data subject. This is a major shift for many EU organisations who have no such requirements currently.
- Data Processors in Scope – Previously, Data Processors (e.g. a cloud hosting provider, or email delivery company) were not in scope for many of the data protection requirements. Instead, all the responsibility for a failure came down to the controller. The GDPR changes that, and now Processors share the burden of data protection.
- Data Protection Officers – Organisations that process large amounts of data or special categories of data (sensitive data) or are Government entities will need to designate a Data Protection Officer. This person is the organisation’s Data Protection lead and the principal advisor in all data protection activities. [More info on the DPO]