EU – General Data Protection Regulation: The Basics

First published September 2016

The EU’s General Data Protection Regulation (GDPR) will be one of the most far-reaching data protection regulations in recent times. It will unify data protection for residents of the European Union (EU) and the export of data outside of the EU.

It has taken since 2012, when the earliest drafts were formed, to reach the stage where the wording of law has now been formalised and agreed upon by the EU Council and Parliament. The law will replace the Data Protection Directive from 1995, and be enforced in 2018 after a two-year transition period.

The purpose of the law is to bring Europe into the digital age, giving EU residents enhanced control over their own personal information and data, whilst simplifying existing data protections laws for businesses.

Notable changes in the GDPR proposals include:

• More rigorous regulations for obtaining consent when collecting personal data
• Removing information from company servers when Right to be Forgotten requests are granted
• Establishing a single national office where complaints about data protection can be made
• The introduction of the One-Stop-Shop for cross-border processing
• Strict and extensive fines for companies if they do not comply with the new data protection policies

This article will discuss the basics of the GDPR and the terminology that is associated with the regulation.

How does the GDPR define personal data?

The GDPR will consider a varied collection of data fields that will be classed as ‘personal data’ by the European Commission (EC). Under the new regulations there will be both old-identifiers such as phone numbers and addresses, as well as new-identifiers like email addresses, IP addresses, genetics and biometrics.

The EC states that:

“Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.”

There isn’t much that cannot be attributed to personal data. This will therefore make it almost impossible for companies to avoid complying with requirements outlined within the new regulation.

The Long Reach of the Law

One of the key reasons behind the reform of the Data Protection Directive (DPD) is the need for greater clarity and consistency with regards to the regulation of data protection across Europe.

The new regulation brings uniformity across Europe, aligning the law with the broader market objectives. It will apply directly to individuals and organisations based in the EU.

Controllers and processors (organisations) based outside of the EU who provide services and goods to citizens residing in the EU will also be constrained by the new regulations. This means that all global companies will potentially be affected by the regulation, which, in the process, makes the GDPR the first global data protection law.

The Introduction of the One-Stop-Shop

The regulation introduces the principal of the “One-Stop-Shop” – a data protection authority (DPA) that will act as the lead authority and regulator for the cross-border processing of businesses established in multiple points of presence other than one EU member state.

This is in contrast to the current data protection framework, which states that organisations are responsible to the DPAs of each separate EU country in which they are established.

Consent & The Rights of the Data Subject

Many believe that the current directive gives regulators and controllers too much flexibility with regards to data usage. The rights of the individual have been rebalanced to ensure control over the distribution and processing of personal data is put back in the hands of the data subject. To this end, the rights of the individual have been updated significantly. This includes updates to the following:

• Individuals now need to give clear consent to the processing of personal data
• Data subjects will now have easier access to their own personal data, which will now have to be presented upon request
• Pseudonymisation (a privacy enhancing technique) and encryption of personal data will be imposed so that data cannot be attributed to a specific person
• Individuals will have the rights to rectification, to erasure and ‘to be forgotten’
• The right to object will now be available for specific types of data processing, including direct marketing
• The right to data portability from one service provider to another will now be introduced
• Children under the age of 13 must have a parent or custodian provide consent on their behalf – member states are able to impose their own rules for children between 13 and 15 years of age

Under the new regulation, personal data can only be processed by a controller for purposes that are fair and lawful. Simple, clear and affirmative language must be used to obtain personal data – this is something that may present a stern challenge for many businesses.

Without valid consent, obtaining personal data will be deemed unlawful and, as such, will result in a breach of the new regulations. Individuals also have the right to revoke consent at any part of the data capture process. This presents further challenges for organisations, as they will now have to explain exactly what has been collected, how it will be processed, and how their data will be used.  All data already collected will require fresh consent from the data subject before an organisation can alter the way in which it is being used.

Governance & Compliance

The GDPR will require organisations to adhere to stringent measures designed to help reduce the risk of being penalised and also ensure that governance is being regarded with the utmost seriousness. To ensure that organisations comply with the new regulations, accountability measures will need to be put in place, including:

• Privacy Risk Assessments
• Audits & Policy Reviews
• Activity Records
• Appointing a Data Protection Officer

Organisations are also obliged to take appropriate security measures according to the risk involved in the data processing operations they perform.

The Role of the Data Protection Officer

To ensure that these procedures and measures are followed, it will become necessary for there to be a mandatory appointment of a Data Protection Officer (DPO) for the public sector. This will also apply to the private sector, for large enterprises, and where the core activities of the controller or processor consist of processing operations which require “regular and systematic monitoring”.

Small companies may also have to employ DPOs, as the criteria is no longer reliant on the number of employees but the amount of risk associated with handling personal data. Therefore, any business that deals with processing personal information will have to appoint a DPO.

Due to the time, effort and resource organisations will have to adhere to with regards to the measures outlined within the new regulation, organisations that do not currently have these governances in place may become overburdened with responsibilities.

Personal Data Transfers to a Third Country

The GDPR will bring in stringent governance with regards to the distribution and transfer of data to third countries and international organisations outside of the European Economic Area (EEA). Any personal data exported to a region outside of the European Union will need to be afforded an adequate level of protection determined by the European Commission (EC).

If the EC is unable to adequately determine whether data can be exported to a third party region due to the level of protection afforded, transfer of data may still happen in special circumstances whereby suitable safeguards are in place, such as:

• Binding corporate rules
• Contractual agreements & clauses
• Standard data protection clauses

Data Breaches & The Ramifications

Under the GDPR, a data breach is defined as: “A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

In the event of a data breach, a series of specific steps must be followed. The independent Data Protection Officer (DPO) will be responsible for reporting any data breaches to the Supervisory Authority without undue delay, no later than 72 hours after the occurrence. Data subjects must also be informed if their personal information has been adversely affected, putting their freedoms and rights at risk.

If a data controller or processer not comply with these regulations, businesses will be at risk of incurring significant fines once the GDPR is enforced on 25^th May 2018 – up to proposed extremes of €20m or 4% of annual worldwide turnover for groups of companies, whichever is greater.

The ability to implement changes will be severely limited in the 6-9 months prior to the regulations coming into effect; it is therefore of the utmost importance that preparations for the impact of the General Date Protection Regulation are dealt with now. To ensure your business is truly prepared, read through the content in our GDPR resource centre.