Essential guide to the EU General Data Protection Regulation (GDPR)
A guide to the new European Union data protection laws and how they affect your organisation
The European Union’s General Data Protection Regulation (GDPR) comes into effect on 25 May 2018. GDPR will introduce new accountability obligations and stronger rights and restrictions on international data flows.
Against a backdrop of radical technological advances and the Snowden revelations about data surveillance, the new framework is ambitious, complex and strict. It presents any organisation that has so far failed to begin preparations with a steep challenge to become compliant in time.
GDPR introduces new obligations for any organisation that handles data about EU citizens – whether that organisation is located in the EU or not. It introduces data breach notification into European law for the first time. And it places stricter responsibilities on organisations to prove they are adequately managing and protecting personal data.
In this guide, we examine the challenges, opportunities and key actions that all organisations need to consider in preparing for GDPR.
10 key facts businesses need to note about the GDPR
With less than two years before the new EU data protection rules come into force, there are key are as businesses need to focus on to ensure they will be compliant
The European Union’s new data protection regulation is complicated, but there are 10 key facts businesses need to know, says privacy lawyer and KuppingerCole analyst Karsten Kinast.
“The General Data Protection Regulation (GDPR) comes into force in less than two years’ time, but it is not too late for organisations to start responding to these key facts,” he told the European Identity & Cloud Conference 2016 in Munich.
- GDPR applies to all
The GDPR applies to all companies worldwide that process personal data of European Union (EU) citizens.
“For the first time, the European Commission [EC] is exporting European data protection principles to the rest of the world,” said Kinast.
This means that any company that works with information relating to EU citizens will have to comply with the requirements of the GDPR, making it the first global data protection law.
Kinast believes this aspect alone will contribute significantly to all companies around the world – including those in Europe – taking data privacy more seriously.
- The GDPR widens the definition of personal data
While the definition of personal data has always been fairly wide, Kinast said the GDPR broadens it even further, bringing new kinds of personal data under regulation.
“This means parts of IT that have been unaffected by data protection laws in the past will need attention from businesses to ensure they comply with the new regulation,” said Kinast.
The GDPR considers any data that can be used to identify an individual as personal data. It includes, for the first time, things such as genetic, mental, cultural, economic or social information.
“From now, hardly any personal data will not fall under the GDPR, making it difficult for organisations to avoid having to comply with its requirements,” said Kinast.
- The GDPR tightens the rules for obtaining valid consent to using personal information
Having the ability to prove valid consent for using personal information is likely to be one of the biggest challenges presented by the GDPR, according to Kinast.
“Organisations need to ensure they use simple language when asking for consent to collect personal data, they need to be clear about how they will use the information, and they need to understand that silence or inactivity no longer constitutes consent,” he said.
The GDPR requires all organisations collecting personal data to be able to prove clear and affirmative consent to process that data. However, Kinast said most of the consent mechanisms he is seeing in the market are not valid under the GDPR.
“In the future, it will be more important than ever for organisations to explain exactly what personal data they are collecting and how it will be processed and used. Without valid consent, any personal data processing activities will be shut down by the authorities,” he said.
- The GDPR makes the appointment of a DPO mandatory for certain organisations
The GDPR requires public authorities processing personal information to appoint a data protection officer (DPO), as well as other entities, when “core activities” require “regular and systematic monitoring of data subjects on a large scale” or consist of “processing on a large scale of special categories of data”.
According to a study by the International Association of Privacy Professionals (IAPP), this requirement means that, in Europe alone, 28,000 DPOs will have to be appointed in the next two years.
“This will affect even Germany companies, where there has been a requirement to appoint a DPO for organisations with more than 10 employees,” said Kinast.
“This is because, with today’s technology, there are many organisations with fewer than 10 employees that process the personal data of thousands of people and have a much higher risk than many larger organisations.
“The GDPR does away with the criterion of number of employees and focuses instead on what organisations do with personal information.
“Therefore, any business that depends on processing personal information will have to appoint a DPO, who will be an extension of the data protection authority to ensure personal data processes, activities and systems conform to the law by design,” he said.
- The GDPR introduces mandatory PIAs
According to the Kinast, the inclusion of mandatory privacy impact assessments (PIAs) in the GDPR is mainly due to the influence of the UK’s Information Commissioner’s Office, which has worked a lot with PIAs in the past.
The GDPR requires data controllers to conduct PIAs where privacy breach risks are high to minimise risks to data subjects.
“This means before organisations can even begin projects involving personal information, they will have to conduct a privacy risk assessment and work with the DPO to ensure they are in compliance as projects progress,” he said.
- The GDPR introduces a common data breach notification requirement
The GDPR harmonises the various data breach notification laws in Europe and is aimed at ensuring organisations constantly monitor for breaches of personal data.
“The regulation requires organisations to notify the local data protection authority of a data breach within 72 hours of discovering it. This means organisations need to ensure they have the technologies and processes in place that will enable them to detect and respond to a data breach,” said Kinast.
“For many organisations, this may require quite a bit of training. It may also require making changes to internal data security policies and how this is promoted in the organisation to ensure data breaches are properly understood and will be recognised easily,” he said.
- The GDPR introduces the right to be forgotten
The GDPR introduces very restrictive, enforceable data handling principles, said Kinast.
One of these is the data minimisation principle that requires organisations not to hold data for any longer than absolutely necessary, and not to change the use of the data from the purpose for which it was originally collected, while – at the same time – they must delete any data at the request of the data subject.
“This means organisations will have to get fresh consent before they can alter the way they are using the data they have collected,” he said.
It also means organisations have ensure they have the processes and technologies in place to delete data in response to requests from data subjects.
- The GDPR expands liability beyond data controllers
In the past, only data controllers were considered responsible for data processing activities, but the GDPR extends liability to all organisations that touch personal data.
“The GDPR also covers any organisation that provides data processing services to the data controller, which means that even organisations that are purely service providers that work with personal data will need to comply with rules such as data minimisation,” said Kinast.
- The GDPR requires privacy by design
The GDPR requires that privacy is included in systems and processes by design.
“This means that software, systems and processes must consider compliance with the principles of data protection,” said Kinast.
“However, the proper erasure of information, for example, is not something often seen in software. But in the future, all software will be required to be capable of completely erasing data, which will be a challenge for a lot of software engineers,” he said.
- The GDPR introduces the concept of a one-stop shop
In the past, Ireland has been popular with large US corporations, such as Google, because of the country’s relatively permissive data protection authority, said Kinast.
“However, that all disappears with the GDPR, which allows any European data protection authority to take action against organisations, regardless of where in the world the company is based,” he said.
Kinast noted this enforcement is also backed by significant fines of up to €20m or 4% of group annual global turnover.
The benefit for business, he said, is that they will have to deal with only one supervisory authority rather than a different one for each EU state.
“This will make it simpler and cheaper for organisations, but at the same time, EU citizens sill have the right to approach any data protection authority of their choice to lodge complaints,” said Kinast.