The Privacy Protection Law in the European Union, or “GDPR”
What organisations and individuals need to know:
250 million people are now using the internet every day in Europe. We’re sharing more and more of our personal data. In this fast-changing digital age, your right to protect your personal data is something which must be safeguarded. There are numerous potential risks, such as unauthorised disclosure, identity theft, or online abuse, to name a few. Protection of personal data is a fundamental right for everyone in the EU.
The new data protection rules will kick in on 25 May 2018 and will give you more control over your personal data and improve your security both online and offline.
The GDPR applies to personal data as any information, in any format, that can directly or indirectly identify a natural person.
The Regulation places much stronger controls on the processing of special categories of personal data. The inclusion of genetic and biometric data is new.
Personal Data Includes:
- Email address
- IP address
- Location data
- Online behaviour (cookies)
- Profiling and analytics data
Special Categories of Personal Data: (Requires Extra Protection)
- Political opinions
- Trade union membership
- Sexual orientation
- Health information
- Biometric data
- Genetic data
The GDPR applies to all EU organisations – whether commercial business, charity or public authority – that collect, store or process EU residents’ personal data, even if they’re not EU citizens.
Organisations based outside the EU that offer goods or services to EU residents, monitor their behaviour or process their personal data will be subject to the GDPR.
Service providers (data processors) that process data on behalf of an organisation come under the remit of the GDPR and will have specific compliance obligations. An example might be a company that processes your payroll, or a Cloud provider that offers data storage.
Data Protection Principles:
Personal data must be processed according to the six data protection principles:
- Processed lawfully, fairly and transparently.
- Collected only for specific legitimate purposes.
- Adequate, relevant, and limited to what is necessary.
- Must be accurate and kept up to date.
- Stored only as long as is necessary.
- Ensure appropriate security, integrity, and confidentiality.
Accountability and Governance:
Organisations must be able to demonstrate compliance with the GDPR:
- The establishment of a governance structure with roles and responsibilities.
- Keeping a detailed record of all data processing operations.
- The documentation of data protection policies and procedures.
- Data protection impact assessments (DPIAs) for high-risk processing operations.
- Implementing appropriate measures to secure personal data.
- Staff training and awareness.
- Where necessary, appoint a data protection officer.
Data Protection by Design and by Default:
There is a requirement to build effective data protection practices and safeguards from the very beginning of all processing:
- Data protection must be considered at the design stage of any new process, system or technology. A DPIA is an integral part of privacy by design.
- The default collection mode must be to gather only the personal data that is necessary for a specific purpose.
Organisations must identify and document the lawful basis for any processing of personal data. The lawful bases are:
- Direct consent from the individual;
- The necessity to perform a contract;
- Protecting the vital interests of the individual;
- The legal obligations of the organisation;
- Necessity for the public interest; and
- The legitimate interests of the organisation.
There are stricter rules for obtaining consent:
- Consent must be freely given, specific, informed and unambiguous.
- A request for consent must be intelligible and in clear, plain language.
- Silence, pre-ticked boxes and inactivity will no longer suffice as consent.
- Consent can be withdrawn at any time.
- Consent for online services from a child under 13 to 16 depending on the country’s specific regulations, is only valid with parental authorisation.
- Organisations must be able to evidence consent.
Privacy Rights of Individuals:
Individuals’ rights are enhanced and extended in many important areas:
- The right of access to personal data through subject access requests.
- The right to correct inaccurate personal data.
- The right in certain cases to have personal data erased. (‘the right to be forgotten’)
- The right to opt out of direct marketing that uses their personal data
- The right to object.
- The right to move personal data from one service provider to another (data portability).
Transparency and Privacy Notices:
- Organisations must be clear and transparent about how personal data is going to be processed, by whom, and why.
- Privacy notices must be provided in a concise, transparent, and easily accessible form, using clear and plain language.
Data Transfers Outside the EU:
The transfer of personal data outside the EU is only allowed:
- Where the EU has designated a country as providing an adequate level of data protection;
- Through model contracts or binding corporate rules; or
- By complying with an approved certification mechanism, e.g. EU-US Privacy Shield.
Data Security and Breach Reporting:
- Personal data needs to be secured against unauthorised processing and against accidental loss, destruction or damage.
- Data breaches must be reported to the data protection authority within 72 hours of discovery.
- Individuals impacted should be told where there exists a high risk to their rights and freedoms, e.g. identity theft, personal safety.
Data Protection Officer: (DPO)
The appointment of a DPO is mandatory for:
- Public authorities;
- Organisations involved in high-risk processing; and
- Organisations processing special categories of data.
A DPO has Set Tasks:
- Inform and advise the organisation of its obligations.
- Monitor compliance, including awareness raising, staff training and audits.
- Cooperate with data protection authorities and act as a contact point.
GDPR Enforcement and Penalties:
The GDPR has attracted media and business interest because of the increased administrative fines for non-compliance. Not all infringements of the GDPR will lead to those serious fines.
Besides the power to impose fines, the regulatory authority has a range of corrective powers and sanctions to enforce the GDPR. These include issuing warnings and reprimands, imposing a temporary or permanent ban on data processing, ordering the rectification, restriction or erasure of data, and suspending data transfers to third countries.
The Costs of Non-Compliance:
The administrative fines are discretionary rather than mandatory; they must be imposed on a case-by-case basis and must be ‘effective, proportionate, and dissuasive’.
There are two tiers of administrative fines that can be levied:
1) Up to €10 million, or 2% annual global turnover – whichever is higher.
2) Up to €20 million, or 4% annual global turnover – whichever is higher.
The fines are based on the specific Articles of the Regulation that the organisation has breached. Infringement of the organisation’s obligations, including data security breaches, will be subject to the lower level, whereas infringements of an individual’s privacy rights will be subject to the higher level.
Liability for Damages:
The GDPR also gives individuals the right to compensation of any material and/or non-material damages resulting from an infringement of the GDPR. In certain cases, not-for-profit bodies can bring representative action on behalf of individuals. This opens the door for mass claims in case of large-scale infringements.
If you would like more information on this subject, or need assistance with immigration, managerial, or payroll services contact us today at firstname.lastname@example.org. We will reach out to you within 24 hours. We look forward to hearing from you!