The General Data Protection Regulation (EU) 2016/679 is a replacement for the current EU Data Protection Directive 95/46/EC. The GDPR is intended to strengthen and unify data protection for individuals within the European Union. The regulation states clearly that the right to privacy is a fundamental one and aims to restore the balance between the interests of the Data Subject and the Data Controller. Whether you are a Data Controller, Data Processor, or a Data Subject, GDPR is momentous! Continue reading to discover five things you need to know about GDPR.
The outgoing Data Protection Directive was created before advances in technology, such as global search engines or social media. You currently have 19 months to get yourself, your employees and your organisation in check before the regulation comes into play. This may seem like a long period of time but considering that it can take 12 months to construct and deploy a basic awareness plan, consider how long it would take to engage employees and your organisation with a topic as "exciting" as the GDPR!
Data Controllers are liable for the actions of any Service Providers they use for processing and are ultimately responsible for ensuring compliance with the Regulation’s data processing principles. If your Processor makes a critical misstep, the fallout will undoubtedly have a significant impact on you.
This also applies to any current contracts that extend beyond the 25th of May, 2018. Let's just focus on this point, as contracts that are being agreed now will be affected by GDPR. There won't be any “grandfathering” of pre-existing contracts that comply with current Data Protection Directive requirements. For contracts expiring after the GDPR applies, change control or change of law clauses will need to be included now, so that they can be amended to comply with GDPR. As such, GDPR checkpoints should be added to the project plan of all contract renewal and procurement activities.
It is essential that Controllers ensure that their Processors can demonstrate their ability to implement the technical measures needed to meet the Regulation’s requirements. Any contract between a Controller and a Processor must also be governed under EU or Member State law. The contract must explicitly set down the tasks and responsibilities of the Processor, including how data will be processed, returned and deleted; how data can be safe-guarded if it crosses borders and what risk-mitigation strategies will be employed.
One of the biggest changes with GDPR, compared to the current Directive, is in the area of consent. The conditions for obtaining consent have become stricter. You are now required to gain consent for each separate processing activity you intend to undertake.
Forced or omnibus consent mechanisms are no longer considered valid. It must be active and not rely on silence, inactivity or pre-ticked boxes. It must be distinguishable, clear and not bundled with other agreements. A simple method of withdrawing consent is required, including one using the same medium used to gain consent initially.
Under the current Data Protection Directive, there is a large variation in financial penalties across Member States.
GDPR sets out two sets of maximum thresholds for administrative fines that may be imposed. In each case, the maximum fine is expressed in Euros, or as a percentage of total worldwide annual turnover of the preceding year, whichever is higher.
If Data Controllers do not ensure that the Technical and Operational Measures they implement are proportionate to the risk posed by their processing, a fine of up to ten million Euros, or two percent of global annual turnover, whichever is higher, can be imposed.
GDPR will also introduce an updated right for data subjects to claim compensation for damages they suffer from such incidents. Data Controller and Data Processor can both be sued for compensation in addition to being exposed to administrative fines.
All in all, the new regulations amount to a see change akin to the Sarbanes-Oxley compliance changes that came into place in 2002.