The new European privacy law, General Data Protection Regulation (GDPR), was approved by the European Union (EU) Parliament to replace its predecessor Data Protection Directive 95/46/EC (Directive). GDPR will be enforceable in all EU member states on May 25, 2018.
Previously, it was ambiguous as to the applicability of the Directive to a non-EU company without a data processing establishment in the EU. This issue has driven a lot of business decisions and has arisen in a number of high profile court cases in Europe. Ambiguous applicability is no longer an issue.
GDPR makes it crystal clear, regardless of the locations of the data processing establishments, GDPR applies to all companies processing personal data of EU residents. This expansion of jurisdiction is arguably the biggest change to the EU privacy laws.
It is of utmost importance for any company conducting businesses in the EU to comply with the GDPR because violations come with heavy penalties. The following are some key terms of GDPR.
- Penalties can be fined up to 4 percent of annual global turnover or €20 Million, whichever is greater.
- Consent request must be in simple, easy-to-read languages and must include the purpose for data processing.
- Withdraw of consent must be as easy as to give consent.
- Breach notification must be done within 72 hours of first awareness of breach in all EU member states where the breach is likely to “result in a risk for the rights and freedoms of individuals.”
- Right to access is expanded as data subject can request confirmation as to whether his/her personal data is processed, where, and for what purpose. When requested, an electronic copy of the personal data shall be provided to the data subject, free of charge.
- Right to be forgotten allows the data subject to have the data controller erase his/her personal data and cease further dissemination of the data.
- Data Portability (a new concept) allows a data subject to request a data controller to transmit his/her data to another controller.
- Privacy by Design requires the inclusion of data protection from the onset of the designing of systems, rather than an addition.
- Data Protection Officer appointment is mandatory for those controllers and processors whose core activities are regular and systematic monitoring of data subjects.