The purpose of the General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018, is to help the European Union (EU) give its citizens and residents control over their own personal data. It's designed to simplify the regulatory environment for international businesses and it unifies the regulations within the EU. One of the more significant aspects of the GDPR is that it also addresses the export of personal data outside of the EU, making it the first global data protection law.
Let’s take a closer look at the GDPR and explore what implications is has for businesses worldwide.
Who is affected?
There are three players within the GDPR:
- Controllers: Organizations that collect data from EU residents.
- Processors: Organizations that process data on behalf of data controllers, such as a cloud service provider or a third-party organization that is processing payroll.
- Subjects: The EU residents to whom the data belongs.
We’re a global economy. So, while in many cases, controllers will be EU countries, it is likely that processors will fall outside of the EU. That means any company or center outside of the EU that is processing data of an EU resident will be required to comply with GDPR. Additionally, the non-EU businesses have to appoint a representative in the EU.
What is protected?
Any data about a subject (an EU resident) is protected by GDPR, and nearly everything that defines you as a person is a piece of information that is considered the subject's data. A name for sure, but also phone numbers, physical addresses, and email addresses, along with occupation, genetic information, biometric information, sexual orientation, and political opinions to name a few. Even the cookies that are stored within a person’s browser can have personal information stored in them. And this is protected under GDPR, as well.
What is required?
- Consent: The controller must obtain the subject’s agreement to use their data, which the subject can withdraw at any time.
- Transparency: The controller needs to communicate in clear and concise language regarding what the subject’s data will be used for.
- Disclosure: The controller must communicate with the subject in the event that any changes in processing are occurring and obtain ongoing consent.
- Retention: The controller and processor are only allowed to hold and maintain a subject’s data until such time as the need for controlling or processing the data has passed.
- Notification: The controller must communicate with the subject in the event the subject’s data is breached in any way.
What are the subject’s rights?
There are certain rights that are built in to the GDPR law.
Under this law, EU residents have the right to get information about their own data from a controller at any time, including:
- Why do you need my information?
- Who are you disclosing my personal data to?
- Who are the recipients?
- Who are the processors?
- What is the reason for the processing?
- How long will the data be retained?
Residents are also allowed to lodge a complaint with a supervisory authority at any time if questions arise about what’s going on or if any nefarious behavior is suspected.
The right to representation means the resident has the right to correct any inaccurate information that the controller may have, even if it's as small as a typo. This includes the right to have incomplete personal data completed.
This right to erasure is also known as the right to be forgotten. This one's significant because once the controller no longer needs the data, they have to get rid of it. Plus the subject has the ability to withdraw their consent. And upon the withdrawal of their consent, the controller has to delete all of their information.
If there has been some sort of processing that the subject doesn’t agree with, or they don't want their information going to a particular processor, they have the right to erasure, the right to be forgotten.
Restriction of Processing
If a subject sees that the accuracy of their personal data is not there, or if they see that the processing is not lawful, they have the right to restrict processing. They aren’t asking that the data be removed, they are asking them to stop processing it.
If a subject decides to change their controller, they have the right to receive their data from that controller and transmit it to a different controller. In other words, if they are doing business with one firm, and then decide they want to do business with another firm, they can do it. This is a move of all data, not a copy.
EU residents also have the right to object to the processing of their personal data under GDPR. The controller will no longer be allowed to process the personal data unless they can demonstrate legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise, or defense of legal claims.
Who is responsible?
All businesses that market goods or services (processors) to customers within the EU and collect data (collectors) must appoint a data protection officer (DPO) that acts as an internal, yet independent, advocate for the proper care and use of customer’s information. They are responsible for making sure a company is in compliance with the aims of the GDPR and other relevant legislation.
The DPO reports directly to the CEO or the board, and needs to keep up on the laws and practices around the data protection. They need to conduct privacy assessments internally and ensure that all other matters of compliance pertaining to the data are up-to-date.
What are the penalties?
Organizations that do not comply with the GDPR will be fined up to four percent of their annual global revenue, up to 20 million euros. It’s a tiered approach, so depending on which piece of the GDPR they aren’t compliant with or the scale at which they aren’t compliant, the company can be fined two percent. These penalties will apply to both controllers and processors.
At this time, it isn’t exactly clear how the GDPR will be enforced. We should know a lot more about this as we draw closer to May 2018, when the GDPR becomes enacted into law within the EU.