What is GDPR (“General Data Protection Regulation”)?
General Data Protection Regulation (Regulation (EU) 2016/679) of the European Parliament and the Council of the European union is the new EU data protection framework which seek to strengthen and harmonize the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
By May, 25th 2018 all controllers and processors shall review their systems, processes and policies to take further steps in achieving compliance with the complex set of requirements under the Regulation.
The extraterritorial scope of the Regulation lead to wider reach of its application. Controllers and processors dealing with personal data of EU-citizens shall build and demonstrate compliance with GDPR.
What is personal data?
Personal data means any information relating to an identified or identifiable natural person (“data subject”) Regulation (EU) 2016/679, Art.4, (1):1.
Online identifier (email, IP address)
Genetic and biometric data
Personal data relating to criminal convictions and offences
Sensitive personal data: Special categories of personal data, such as information on health, religion, political beliefs, sexual orientation, etc.
Key GDPR figures
Supervisory authority is an independent public authority, established by a Member State.
Data subject – The Regulation apply to the processing of personal data of EU-citizens. As of May 25th, 2018 data subjects will benefit from more strengthened and expanded rights compared to the rights enshrined in the Directive 95/46/EC.
Controllers from both public and private sector which are the figures which determine the purposes and means of the processing of personal data.
Processors from both public and private sector which are processing personal data on behalf of the controller.
Overview of key requirements
1. Data subject’s rights
- Right to restriction of processing
- Right to data portability
- Right not to be subject to a decision based solely on automated processing, including profiling
- Information and access to personal data
- Right to rectification
- Right to erasure (‘right to be forgotten’)
- Notification obligation regarding rectification or erasure of personal data or restriction of processing
- Right to object
2. Lawful processing under GDPR (Regulation (EU) 2016/679, Art. 6)
The processing is considered lawful when:
Consent: You have obtained explicit consent from data subjects prior to the processing.
Contract: You are performing a contract to which the data subject is party, or when you are taking steps at the request of the data subject before entering into contract.
Legal obligation: The controller is subject to a legal obligation.
Vital interests: You need to protect the vital interests of data subjects or of another natural person.
Public interest/Official authority: A task is carried out a in the public interest or in the exercise of official authority.
Legitimate interest: The processing by a controller or third-party for the purposes of legitimate interests.
3. Penalties for non-compliance
The cost of non-compliance with GDPR (“General Data Protection Regulation”) requirements may amount to up to €20 million, or 4% of the global annual turnover (whichever is higher).
4. Duties and responsibilities of controllers and processors under GDPR
Data breach (Art. 33) : Notification of a personal data breach to the supervisory authority within no more than 72 hours, after having become aware of it.
Accountability (Art. 5, Para 2) : The principle of accountability states that controllers are responsible for demonstrating compliance with the principles relating to processing of personal data.
Data protection by design and by default (Art. 25) : Meet the principles of data protection by default and by design from the earliest stages of your activities involving personal data.
Technical and organizational measures (Art. 24, 25, 28, 30, 32) : Under GDPR, controllers and processors need to implement appropriate technical and organizational measures considering also the level of risk in relation to the processing of personal data. Pseudonymisation and encryption of personal data are some of the security measures indicated in the Regulation.
Processing personal data of children under 16 years of age (Art. 8) : In order for processing to be lawful, controllers and processors, dealing with personal data of children under 16 years of age, need to obtain a consent by the holder of parental responsibility over the child.
Data Protection Impact Assessment (“DPIA”) under GDPR (Art. 35, 36) : Data protection impact assessment could be required in case of:
– a systematic and extensive evaluation of personal information;
– processing on a large scale of special categories of data;
– systematic monitoring of publicly accessible area on a large scale.
*Prior consultation with the supervisory authority will be required if DPIA indicates high-risk processing.
Records of processing activities (Art. 30) : Keep records of processing activities, including detailed information about the controller, purposes of processing, categories of data subjects and of personal data, time limits for erasure, etc.)
Data Protection Officer (Section 4) : Data Protection Officer’s role aims to facilitate the compliance with the applicable data protection rules. Even if in certain cases the designation of the DPO is optional, the organizations could consider the appointment of a DPO as a best practice to demonstrate accountability and ensure compliance.
Need to understand whether you are obliged to appoint a Data Protection Officer. Please check
First steps towards GDPR compliance
Before taking further steps towards GDPR compliance with the set of data protection rules, take stock of the processing approach within your organization:
- Type of data you collect, process and/or store. Categories of personal data.
- Purpose or purposes for which you are processing personal data.
- Place of the storage – on paper versions, local server, or cloud-based storage.
- Access to personal data – everyone within the organization who has access or is authorized to process personal data.
- Time limits – period of retention and erasure;