History and Overview
The European Union (EU) introduced its data protection standard 20 years ago through the Data Protection Directive 95/46/EC. Since a Directive allows Member States a margin of flexibility when implementing into national law, Europe ended up with an array of privacy laws. With the increases in security breaches, technology advancements, and globalization over the past 20 years, new challenges have surfaced over the protection of personal data. Therefore, the EU has developed the GDPR.
The announcement to finalize GDPR was made in December 2015, and following a vote by the EU parliament, the GDPR will take effect on May 25, 2018. The intent is to strengthen and unify data protection for individuals within the EU, while controlling the export of personal data outside the EU. Simply, GDPR will give EU citizens control of their personal data. However, the comprehensive legislation surrounding GDPR has made it very hard for organizations across the world, which conducts business within the EU, to adapt and prepare for compliance with GDPR.
Non-European Businesses
Does GDPR apply to your organization? GDPR extends to non-European businesses that offer goods and services to data subjects in the EU and even those non-European businesses that monitor EU data subjects’ behavior, regardless of the non-European business maintaining an office or subsidiary in the EU.
Key Points
- In the event an organization outside the EU targets or monitors consumers’ behavior in the EU, that organization would be subject to GDPR.
- A Data Protection Officer (DPO) is highly recommended, however only required, if one of the following exists:
- Data collection is being performed by a public body or authority; or
- Data collection is being performed by a systematic process on a large scale; or
- Subjects to consider when determining “large scale”
- Number of data subjects involved
- Volume and range of data being processed
- Duration and permanence of data processing
- Geographical reach of the processing activity
- Subjects to consider when determining “large scale”
- Data collection is being performed and the data collection represents information from special categories of data.
- In the event a DPO is not appointed, the decision to not appoint must be documented.
- Accountability is placed on data controllers to demonstrate compliance, requiring them to:
- Maintain documentation
- Conduct a data protection impact assessment for high-risk processing
- Implement data protection by design
- Consent must be freely given, specific, informed and unambiguous. Requests for consent should be separate from other terms and be clearly communicated.
- Data controllers must notify most data breaches to the data protection authorities (DPA) without delay and where feasible within 72 hours of awareness. Justification must be provided if this time frame is not met, and in some cases, the data controller must also notify the affected data subjects.
Implications of Accountability under GDPR
As GDPR focuses on accountability to organizations with access to personal data, these organizations must prepare to respond to requests from individuals who want to exercise their rights for the processing of their data. If an organization would suffer a data breach under GDPR, the following implications may apply, based upon the severity of the breach:
- Organizations must notify the local data protection authority and potentially the owners of the breached records;
- Organizations could be fined up to 4% of annual revenue or €20 million Euros, whichever is higher. Other specified infringements would include a fine of up to the higher of 2% of annual revenue or €10 million Euros, whichever is higher;
- Reputational damage; and
- Loss of business opportunities.
Act Now
Organizations have to revisit their IT strategies for alignment with GDPR; however, they also need to ensure that they continue to meet their business requirements and any impacts to the business based upon strategic initiatives.