In our Data Protection 101 series, we’re going to discuss information security essentials in both general and specific terms. First up: An exploration of the General Data Protection Regulation (GDPR), and what organizations need to do to comply with it.
The GDPR Defined
In April of 2016, the European Parliament and Council authorized the General Data Protection Regulation, or GDPR. Taking effect on May 25, 2018, the GDPR will become the European Union’s leading regulation on how companies must protect the personal data of EU citizens. It replaces the previous Data Protection Directive 95/46/ec. Compliance with the older Directive does not necessarily guarantee compliance with the GDPR, so companies need to examine their compliance carefully before the Regulation takes effect. Failing to comply with the GDPR after May 25, 2018 will put companies at risk of being significantly penalized and forced to pay fines. There is some more information here on the Capita ITPS blog.
The GDPR rules apply equally to every part of the European Union; one goal of the new Regulation is to foster more consistent consumer and personal data protection throughout the EU. These are the essential principles of the GDPR:
* Consent of subjects must be secured for data processing
* Collected data must be anonymized to protect privacy
* Data breaches must be publicized responsibly to citizens who may be affected
* Defining certain types of companies that need to have a Data Protection Officer tasked with GDPR compliance
* Standardizing international data transfer and making it as safe as possible
In essence, the GDPR is focused entirely on setting up binding standards for data processing and data movement to ensure that companies handle the data of EU citizens with discretion and safety.
GDPR Compliance: Who Does The Regulation Affect?
One core goal of the GDPR is to foster greater consistency in data protection laws by aligning regulations on the topic throughout the EU. No member needs to pass its own data protection laws in the future; the GDPR applies everywhere. The GDPR is of significant interest to companies outside the EU because it will apply to all companies that do business with EU citizens, no matter where the companies are located. This gives the GDPR a global reach, and it will likely influence the data protection requirements of countries well outside of Europe.
GDPR Requirements For 2018
The General Data Protection Regulation consists of 91 articles divided into 11 chapters. Some of the most important articles and chapters are summarized here:
Articles 17 & 18: These articles are intended to increase the amount of control data subjects have over their personal data and how it is processed. Most importantly, data subjects need to be able to easily transfer personal data from one service provider to another whenever they desire. This ability is summarized as the “right to portability.” Articles 17 & 18 also codify data subjects’ ability to direct controllers to erase their personal data when appropriate conditions are met. This is also called the “right to erasure.”
Articles 23 & 30: These articles codify the data protection measures companies need to enact in order to ensure that consumers’ personal data is secured against loss, exposure, or unauthorized sharing.
Articles 31 & 32: Article 31 provides requirements for general data breach notifications. Controllers are required to report any and all breaches within 72 hours of detecting them; they also need to specify the nature of the breach and approximately how many data subjects it affects. Article 32 defines further responsibilities data controllers have when a breach qualifies as “high risk;” these notably include notifying data subjects as quickly as possible.
Articles 33 & 33a: These articles codify the need for companies to identify consumer data risks by performing Data Protection Impact Assessments. Any risks detected need to be addressed via Data Protection Compliance Reviews.
Article 35: This is the article that obliges certain companies to appoint data protection officers. The companies affected are those that process data which contain subjects’ health, genetic, ethnic, or religious information. Data protection officers take responsibility for GDPR compliance in their organizations and serve as points of contact for Supervising Authorities. Note that some companies may be obliged to appoint a data protection officer solely due to the data they collect from employees as part of their ordinary human resources activity.
Articles 36 & 37: These articles go into detail regarding the role of the data protection officer. They cover responsibility for GDPR compliance and the specifics of reporting vital information to both data subjects and Supervisory Authorities.
Article 45: This is the article which confirms that the GDPR applies to international companies as long as they collect or process personal data from EU citizens. Such companies are subjected to the same regulations and penalties as companies operating within the EU.
Article 79: This article details the penalties to be imposed on companies that fail to comply with the GDPR. The maximum penalty described in Article 79 is a fine comprising 4 percent of the violator’s global annual revenue; the severity of specific penalties varies according to the nature of the violation.
Enforcing The GDPR And Assessing Non-Compliance Penalties
Non-compliance penalties under the GDPR are stiffer than those mandated in the DPD. Thanks to its EU-wide mandate, the GDPR offers Supervisory Authorities more discretion. SAs have both investigative and corrective powers, enabling them to issue non-compliance warnings, audit data handling, mandate improvements in specific companies’ data procedures, order data erasures, and prevent international data transfers.
Supervisory Authorities are also able to issue more severe fines under the GDPR than under the DPD it replaces. Fines are assessed on a case-by-case basis, and SAs are free to use other corrective options with or without fines. Maximum fines are capped in two categories at €10m or €20m. Alternately, fines in each category can be set at 2 or 4 percent of global annual revenue if the violator’s revenue exceeds the Euro figures above.