The GDPR is the European Union’s new data protection law. It replaces the Data Protection Directive (Directive”), which has been in effect since 1995. While the GDPR preserves many of the principles established in the Directive, it is a much more ambitious law. Among its most notable changes, the GDPR gives individuals greater control over their personal data and imposes many new obligations on organizations that collect, handle, or analyze personal data. The GDPR also gives national regulators new powers to impose significant fines on organizations that breach the law.
When does the GDPR take effect?
The GDPR takes effect on May 25, 2018. The GDPR actually became law in April 2016, but given the significant changes some organisations will need to make to align with the regulation, a two-year transition period was included. Organisations should not expect any grace period from regulators beyond May 25, 2018. Some EU member state regulators have already gone on record to say there will be no enforcement holiday for organisations that fail to comply.
What are the main requirements of the GDPR?
The GDPR imposes a wide range of requirements on organisations that collect or process personal data, including a requirement to comply with six key principles:
1. Transparency, fairnesss, and lawfulness in the handling and use of personal data. You will need to be clear with individuals about how you are using personal data and will also need a “lawful basis” to process that data.
2. Limiting the processing of personal data to specified, explicit, and legitimate purposes. You will not be able to re-use or disclose personal data for purposes that are not “compatible” with the purpose for which the data was originally collected.
3. Minimising the collection and storage of personal data to that which is adequate and relevant for the intended purpose.
4. Ensuring the accuracy of personal data and enabling it to be erased or rectified. You will need to take steps to ensure that the personal data you hold is accurate and can be corrected if errors occur.
5. Limiting the storage of personal data. You will need to ensure that you retain personal data only for as long as necessary to achieve the purposes for which the data was collected.
6. Ensuring security, integrity, and confidentiality of personal data. Your organisation must take steps to keep personal data secure through technical and organisational security measures.
Does the GDPR apply to my organization?
The GDPR applies more broadly than might be apparent at first glance. Unlike privacy laws in some other jurisdictions, the GDPR is applicable to organizations of all sizes and all industries. Specifically, the GDPR applies to:
A) processing of anyone’s personal data, if the processing is done in the context of the activities of an organization established in the EU (regardless of where the processing takes place);
B) processing of personal data of individuals who reside in the EU by an organisation established outside the EU, where that processing relates to the offering of goods or services to those individuals or to the monitoring of their behaviour. The EU is often viewed as a role model on privacy issues internationally, so we also expect to see concepts in the GDPR adopted in other parts of the world over time.
How do I know if the data that my organization is processing is covered by the GDPR?
The GDPR regulates the collection, storage, use, and sharing of “personal data.” Personal data is defined very broadly under the GDPR as any data that relates to an identified or identifiable natural person. “Personal data” includes any data that relates to an identified or identifiable individual. This can include data such as online identifiers (e.g., IP addresses), employee information, sales databases, customer services data, customer feedback forms, location data, biometric data, CCTV footage, loyalty scheme records, health and financial information and much more. Indeed, the term is so broad that it can even include information that does not appear to be personal – such as a photo of a landscape without people – where that information is linked by an account number or unique code to an identifiable individual. And even personal data that has been pseudonymized can be personal data if the pseudonym can be linked to a particular individual.
My organisation is only processing data on behalf of others. Does it still need to comply with the GDPR?
Yes. Although the rules differ somewhat, the GDPR applies to organisations that collect and process data for their own purposes (“controllers”) as well as to organisations that process data on behalf of others (“processors.”) This is a shift from the existing Directive, which applies primarily to controllers.