What is the General Data Protection Regulation?
The General Data Protection Regulation (the “GDPR”) (Regulation (EU) 2016/679) is a European Union regulation intended to harmonize data privacy laws across Europe and increase data privacy protections for all European Union citizens. The GDPR was approved by the European Council and Parliament on April 14, 2016, and will come into force beginning on May 25, 2018. The GDPR will replace the Data Protection Directive 95/46/EC (the “Directive”), which required each member state of the European Union to pass national legislation to implement the intended outcome of the Directive. The result was a patchwork of similar, yet distinct, data privacy laws across the European Union member states. By contrast, the GDPR will have immediate and direct legal effect throughout the European Union because it is a regulation and not merely a directive. This also means that companies to whom the GDPR will apply (including companies based outside of the European Union) must be ready to comply with the regulation before the middle of 2018.
Who will the GDPR apply to?
The GDPR will apply to all companies processing the personal data of data subjects residing in the European Union. This means that the GDPR will apply to the processing of personal data by controllers and processors in the European Union, without regard to whether the processing actually takes place within the European Union. Furthermore, the GDPR will apply to the processing of personal data of data subjects in the European Union by a data controller or data processor that is not established in the European Union, where the activities relate to (a) the offering of goods or services to European Union citizens (regardless of whether payment is required) or (b) the monitoring of behavior that takes place within the European Union. Additionally, non-European Union businesses that process the data of European Union citizens will be required to appoint a representative in the European Union.
Who constitutes a data controller or data processor under the GDPR?
Similar to the Directive, the GDPR refers to “data controllers” and “data processors.” A data controller is an entity that determines the purposes, conditions and means of the processing of personal data. A data processor is an entity that processes personal data on behalf of a data controller. Notably, data controllers and data processors whose core activities consist of processing either (a) operations which require regular and systematic monitoring of data subjects on a large scale or (b) special categories of data or data relating to criminal convictions and offenses, must appoint a Data Protection Officer (“DPO”) under the GDPR. A DPO must be appointed on the basis of professional qualities and expert knowledge on data protection law and practices. A DPO may be either a staff member or an external service provider; in either case, however, the DPO must be provided with the appropriate resources to carry out their tasks. Finally, a DPO must report directly to the highest level of management within an organization and must not carry out any other tasks that could result in a conflict of interest.
What are some new, key concepts embodied in the GDPR?
The GDPR introduces several new data privacy concepts—including the right to access, the right to be forgotten, data portability and privacy by design—all of which generally serve to place more control back into the hands of data subjects themselves.
The right to access affords data subjects the right to obtain confirmation from a data controller as to (a) whether personal data concerning that individual is being processed, (b) where such information is being processed and (c) for what purpose such information is being processed. A data controller must also provide a data subject with a copy of the personal data, free of charge, in an electronic format.
The right to be forgotten requires a data controller to comply with a data subject’s request to (a) erase his or her personal data, (b) cease further dissemination of the data, and (c) potentially have third parties halt processing of the data as well. Conditions for deletion include the data no longer being relevant to the original purpose for processing or the data subject withdrawing consent. A data controller is also tasked with evaluating a data subject’s rights in relation to the “public interest in the availability of the data” when considering a request from the data subject to have personal data erased.
Data portability encompasses a data subject’s right to receive the personal data concerning him or her from a data controller and to transmit that data to another data controller.
Lastly, privacy by design requires a data controller to “implement appropriate technical and organizational measures . . . in an effective way . . . in order to meet the requirements of [the] Regulation and protect the rights of data subjects.” The idea is that data protection should be included in the original design of any system that interacts with protected data, rather than being incorporated into the system later as an afterthought or corrective measure.
What are the requirements for obtaining consent under the GDPR?
Consent is a lawful basis to transfer personal data under the GDPR, as it was under the Directive. However, the conditions for properly obtaining consent are now more exacting. Under the GDPR, an organization’s request for consent must be given in an intelligible and easily accessible form, which must be accompanied by a document setting forth the purpose for the proposed data processing. Furthermore, it must be as easy to withdraw consent as it is to provide it.
When must an entity report a data breach under the GDPR?
Breach notification becomes mandatory under the GDPR in all European Union member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” Moreover, the notification must be made within a mere 72 hours of discovery of the breach. As any company that has previously dealt with a data breach knows, this 72-hour window will afford little opportunity for hesitation or delay. Additionally, data processors will be required to notify their controllers “without undue delay” after discovering a data breach.
What are the penalties for non-compliance with the GDPR?
An organization in violation of the GDPR may be assessed a fine of up to 4% of the organization’s annual global revenue or €20 million (whichever is greater).