What is the General Data Protection Regulation?
The General Data Protection Regulation ("GDPR") is an EU Regulation adopted in April 2016. It replaces its predecessor, the 1995 Data Protection Directive, and regulates EU-based controllers or processors, personal data processed in the EU or the processing of personal data of EU data subjects by entities anywhere in the world. The GDPR became directly applicable in all 28 member states (including the UK). Enforcement of the GDPR commences on 25 May 2018.
The GDPR significantly widens the scope of existing EU data protection legislation. The GDPR has extra-territorial reach in that it regulates personal data that is processed in the EU (Article 3.3), or the personal data of EU data subjects where such processing relates to the offering of goods or services (Article 3.2(a)) or the monitoring of the data subjects' behaviour in the EU (Article 3.2(b)), regardless of where the data is processed.
What are the key changes and requirements of GDPR?
The definitions of "personal data" and "sensitive personal data" have been expanded. The expansion of these definitions in and of itself affects the interpretation of the regulation.
The GDPR grants a plethora of rights to data subjects, such as free access to their personal data, and the right to "be forgotten". It also imposes obligations on data controllers and processors, such as to notify personal data breaches to the relevant supervisory authority (and, in some cases, the affected individual) within 72 hours of becoming aware of such breach. Consent for each type of data processing should be obtained from the data subject that is an affirmative action, separate from other terms and conditions, freely given, clear, informed and recorded for audit purposes, and easily retractable. If any previously obtained consent is non-compliant then new consent should be obtained.
Any firm outside of the EU that is caught by Article 3.2(a) or (b) of the GDPR must appoint a GDPR representative in the EU, unless the organisation is a public authority or body, or the data processing activities are occasional and do not include the large-scale processing of certain types of personal data.
How can affected entities become GDPR compliant?
The EU encourages compliance by "design". Firms should:
- map data processing operations and adapt policies/procedures;
- be able to: grant access to personal data, make data "portable", and allow for total and permanent erasure of data, upon the data subject's request;
- implement notice procedures in the event of a data breach;
- circulate requests for consent in an intelligible form, including the purpose for which the data is to be processed; and
- where required, appoint a "representative" in one of the EU Member States where the data subjects are based.
What happens if firms do not comply with the GDPR?
Firms could be fined up to the greater of 4% of annual global turnover or €20 million. Each EU Member State is responsible for enforcing the GDPR in its jurisdiction.
Notwithstanding the requirement for most non-EU based data processors and controllers to appoint a representative in the EU, it remains to be seen how the GDPR will be enforced against such organisations which do not hold any assets in the EU.