Now that we are a few days away from the GDPR being enforced, many are waking up to the full realization that they need to be compliant is an urgent and essential part of security to individuals and organizations. The buzz surrounding it is enough to bring curiosity, but is it enough for you to really know what the GDPR is all about? Here are 100 things that you should know about the GDPR before it’s too late:
What is GDPR?
- The General Data Protection Regulation (GDPR) is a regulation designed to protect personal data for all individuals in the European Union (EU).
- It was designed by the European Parliament, the Council of European Union, and the European Commission.
- The proposal for the GDPR was made on 25 January 2012.
- European Parliament Committee on Civil Liberties, Justice, and Home Affairs (LIBE) had its orientation vote on 21 October 2013.
- On 15 December 2015, a joint proposal was negotiated between the European Parliament, Council, and Commission.
- European Parliament LIBE committee voted in favor of the negotiations between the three parties on 17 December 2015.
- GDPR was adopted on 27 April 2016.
- It will come into force on 25th May 2018, after a two year preparation period.
- It will replace the data protection directive of 1995.
- It is the biggest data privacy change in 20 years.
Who Does It Apply to
- It applies to companies that deal with personal data of residents in the EU, regardless of where the company is situated.
- Companies, whether large or small firms, must comply.
- Companies with less than 250 employees are not required to maintain a record of processing activities unless it could result in a risk to the rights and freedom of data subjects. (Article 30)
- The term “personal data” consists of any type of information that relates to ‘natural person’ and allows the said ‘natural person’ to be easily identified.
- A “data subject” is an identifiable natural person who can be identified, directly or indirectly.
- According to Article 4 of the GDPR, a “data controller” can be described as, “the natural or legal person, public authority, agency or another body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”
- The same article describes data processors as, “a natural or legal person, public authority, agency or another body which processes personal data on behalf of the controller.”
- “Consent” means any information that is freely given by the data subject, through a statement or a clear action, proves the agreement of the process of their data.
What Data is Protected
- Basic information on a data subject such as name and address.
- Web data such as location, IP address, cookie data and RFID tags.
- Health and genetic data.
- Biometric data.
- Racial or ethnic data.
- Political opinions.
- Sexual orientation.
The Key Changes of the GDPR
- Territorial Scope: It applies to data controllers and data processors established in the EU and those companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
- Consent Approval and Withdrawal: Consent statements must be intelligible and easy to understand; it must also be as easy to withdraw as it is to give. Consent for children must be given by their parents or guardians.
- Breach Alert: All data subjects must be notified within 72 hours of the organization first becoming aware of a breach that could result in the risk of the rights and freedom of the individual.
- Right to Erasure: An individual can now ask for all personal data to be erased without delay and cost.
- Mandatory Privacy Impact Assessments: The GDPR requires that the DC conducts PIAs where privacy breach risks are high, to minimize risks to data subjects.
- Privacy by Design: All businesses must now include privacy in systems and processes by design.
- Right to Access: Data subjects have the right to confirm where and how data is being processed, whether it is being processed, and receive a free of charge electronic copy of the personal data.
- Data Portability: The individual has the right to transmit data from one controller to another.
- One Stop Shop Concept: Businesses will only have to deal with one authority rather than a different one for each state.
- Expanded Liability: Data controllers, data processors, and organizations that touch personal data will be held liable in the case of a breach
- Mandatory DPO: A Data Protection Officer will be required for those controllers and processors whose core activities rely on a systematic monitoring of data subjects on a large scale or certain categories of data.
Data Protection Officer
- They must have expert knowledge of data protection law and practices.
- Could be an employee or service provider from an external organization.
- Contact details must be provided to the relevant DPA.
- They must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge.
- They must report directly to the highest level of management.
- They must not carry out any other tasks that could result in a conflict of interest.
Responsibilities of a Data Controller
- Comply: Implement appropriate technical and organizational measures which ensure Data Protection, that is updated as necessary.
- Prove: Document measures taken to prove compliance with the GDPR.
- Data Processor: Appoint a processor only if the said processor complies with the GDPR, and that the relationship is recorded in a written contract.
- Document: Maintain a document that shows how and why personal data is being processed.
- Cooperate with the DPA: The Data Controller is required to cooperate with the Supervisory Authority.
- DC’s Outside the EU: The DC shall designate in writing a representative in the EU.
- Joint Controllers: Determine the respective responsibilities in a written agreement and make it available to the data subjects.
- Data Breach Alert: The DC must notify supervisory authority of the data breach within 72 hours of becoming aware of it.
- Data Subject Breach Alert: If the breach is to result in the risk of freedom and the rights of the data subject, then the DC must notify them immediately.
- Data Protection Impact Assessment: The DC must conduct a DPIA, prior to any processing and consultation with the DPO.
- DPA Consultation: If the DPIA shows that there are high risks involved in the process then the DC has the right to consult the supervisory authority before the processing.
- Data Protection Officer: The DC must appoint and involve a DPO in issues related to personal data.
- Data Security: The DC must be able to protect personal data using encryption, reviews of security measures, redundancy and backup facilities, and regular security testing, among other technical and business measures.
Data Protection Principles
- Data Protection Officer: The DP will assess the need for appointing a DPO and may also appoint one.
- Guarantee Process Meets GDPR Requirements: Ensure the protection of the data subject’s rights through the compliance with the GDPR principles.
- Law Binding Contract: Create a contract between the DP and the DC that governs all activities to be provided to the DC.
- Act as Instructed: The DP will only perform those activities that have been instructed by the DC.
- Ensure Compliance: The DP must inform the DC when the DC or other’s instructions conflict with the principles of the GDPR and must provide them with revised instructions.
- Appoint a Sub-Processor: A sub-processor may only be appointed with the approval of the DC and through the implementation of a written contract.
- Confidentiality: The DP must guarantee that their staff maintains confidentiality while handling personal data.
- Security of Processing: They must comply and prove compliance of the GDPR that ensures a level of security appropriate to the risk.
- Assist the DC: The DP must assist the DC, taking into consideration the nature of the processing carried out by the DP.
- Personal Data: As notified by the DC, the DP must delete or return all personal data of a data subject.
- Demonstrate Compliance: The DP must assist the DC by making all the necessary information to demonstrate compliance available.
- Cooperate with the Supervisory Authority: The DP is required to cooperate with the DPA at all times.
- Representative Appointment: All DPs established outside the EU must appoint a representative in the EU.
- Liable: A DP will be held liable for breaches of their legal or contractual obligations.
Rights of Data Subjects Under GDPR
- Personal Data Must be Processed Lawfully: When an appropriate legal basis or legislative measure under the GDPR is implemented.
- Personal Data Must be Processed Fairly: The data subject must be provided with sufficient information, such as the existence of the processing activities and its purposes at the moment of collection.
- Personal Data Must be Processed Transparent: All information must be clear and easy to comprehend.
- Purpose Limitation: Information collected for one specific purpose may not be used for any other purpose other than that which is mentioned.
- Data Minimization: The data collected must be relevant and minimal to what is necessary.
- Accuracy: Personal data must be accurate. Any information gathered without accuracy must be erased without delay.
- Data Retention: All personal data must be erased once they have served their purpose, unless they are being used for scientific, historic, or statistical purposes, in accordance with Article 89 (1).
- Integrity and Confidentiality: All personal data must be processed in a manner that ensures appropriate security.
- Accountability: The DC is responsible and must be able to demonstrate compliance with the Data Protection Principles.
Penalties for Non-Compliance of the GDPR
- Right to be Informed: Data subjects have the right to be informed on the identity of the DC, details of the DPO, the purpose and legal process of the collection of personal data, data retention period, and other information to ensure a lawful, legal, and transparent process of personal data.
- Right of Access: Data subjects have the right to confirm whether, why, and where the DC is processing their personal data, who the recipients of the data are (third-party), the right to erasure, rectify, restriction of processing and objection to process, to lodge a complaint with a supervisory authority, a copy of the personal data, and much more.
- Right to Rectification: The data subject has the right to rectify inaccurate personal data from the DC without delay.
- Right to Erasure: An individual can now ask for all personal data to be erased due to the purpose of the collection is changed, withdrawal of consent, the objection of the process, data unlawfully processed, legal obligation, and more.
- Right to Restriction of Processing: The data subject can restrict the DC from processing personal data if the accuracy is contested, the processing is unlawful, the controller no longer requires the data for processing.
- Right to Data Portability: Personal data of a data subject can be transmitted from one DC in a structured, general, and machine-readable format to another controller, as per the data subject’s request.
- Right to Object: The data subject can object to the processing of their personal data at any time, on grounds relating to their particular situation. This right can also be exercised when personal data is directly used in marketing campaigns, the use of information society services, and is used for scientific, historical, or statistical purposes.
- Automated Individual Decision Making: The right not to be subjected to a decision that is based solely on automated processing can also be exercised by data subjects.
Exemptions Can be made If
- Penalty fines are administered by individual member state supervisory authorities.
- These fines are determined by the nature of the infringement, intention, mitigation, preventative measures, history, cooperation, data type, notification, certification, and other aggravating factors.
- Lower level penalties could cost a firm up to €10 million, or 2% of the worldwide annual revenue of the prior fiscal year, whichever is higher.
- Upper-level penalties could result in up to €20 million, or 4% of the worldwide annual revenue of the prior fiscal year, whichever is higher.
- National security is not endangered.
- Defence is secure.
- Public security is unharmed.
- The prevention, investigation, detection or prosecution of criminal offenses is not affected.
- Other important public interests, in particular, economic or financial interests, including budgetary and taxation matters, public health and security are safeguarded.
- The protection of judicial independence and proceedings is not meddled with.
- There are no breaches of ethics in regulated professions.
- Monitoring, inspection or regulatory functions connected to the exercise of official authority regarding security, defense, other important public interests or crime/ethics prevention are secure.
- The protection of the individual or the rights and freedoms of others remains intact.
- The enforcement of civil law matters is not affected.