What is it?
EU’s new General Data Protection Regulation (GDPR) was adopted in April 2016 and tries to clear up some of the ambiguities that existed in personal data protection, and even to widen the personal data net with respect to sensitive personal data.
Why was it introduced?
It replaced the Data Protection Directive 95/46/EC (DPD) that was adopted in 1995, the year that Amazon.com officially opened, Yahoo.com and ebay.com domains were registered and Microsoft released Internet Explorer 1.0. Obviously, the directive was obsolete and incapable of providing a legal framework for the current market and society conditions.
DPD, as a directive, allowed a significant degree of freedom to countries on how they will adopt it. In contrast, GDPR is a regulation that is automatically a European law that binds all countries reducing the freedom of different implementation only to a minimum and in areas that have not been covered or intentionally have been left “uncovered” for the countries to choose how to “localize”.
Which data are relevant?
GDPR affects three main types of data.
• Personal data and unique identifiers: online identifiers and location data – meaning that the legal definition of personal data now puts beyond any doubt that IP addresses, mobile device IDs and the like are all personal and must be protected accordingly.
• Pseudonymous data: introduced by GDPR, they are personal data that has been subjected to technological measures (like hashing or encryption) such that it no longer directly identifies an individual without the use of additional information.
• Genetic data and biometric data: GDPR introduced specific definitions of “genetic data” (e.g. an individual’s gene sequence) and “biometric data” (i.e. fingerprints, facial recognition, retinal scans etc.).
Who is affected?
GDPR is applicable to companies that fulfill any of the following criteria.
• Are established in EU
• Offer goods and services in EU
• Monitor the behavior of EU citizens
GDPR affects the following type of companies and organizations.
• Data Controllers: companies that hold personal data of EU citizens.
• Data Processors: companies that handle personal data of EU citizens on behalf of Data Controllers.
The accountability of Data Processors, introduced by GDPR, is a significant change to DPD because, in a nutshell, spreads the personal data protection responsibility to all companies that are involved in the handling of data reaching the cloud service providers, a large and rapidly growing industry.
What does it include?
The companies affected have to take “appropriate” measures to show compliance with GDPR. Some of the measures are:
o Detailed data processing records
o Security measures
o Privacy Impacts Assessments
o Appointment of Data Protection Officer (DPO)
Who is benefited?
The EU citizen! The rights of individuals in regards to their personal data are strengthened. In addition to the existing rights to access, correct, block and delete data and to marketing opt-out right, GDPR introduces:
• The “unambiguous” consent
• Enhanced access and objection rights
• Right to be forgotten
• Right to data portability
What about data breaches?
Before GDPR there was no pan-EU rules about data breaches with the exception of ISPs and telcos. The new regulation introduces the reporting of data breaches within 72 hours by data controllers, regulators, and affected data subjects.
Will I need a DPO?
GDPR requires the appointment of a Data Protection Officer (DPO) by all public authorities and companies with “large scale” systematic monitoring (Data Controllers) of individuals or “large scale” processing of sensitive data (Data Processors). DPO can be employed or outsourced.
Will data export be easier?
No! All the rules that prohibit the export of data remain.
The regulation prohibits transferring personal data outside the EU to a third country that does not have adequate data protection. Currently, intra-organizational transfers of personal data outside EU is allow in a small list of 10 countries.
A multinational company can export personal data to countries not in the approved list only through the Binding Corporate Rules (BCR) policy. BCRs typically form a stringent, intra-corporate global privacy policies, set of practices, processes and guidelines that is required to be approved by the data protection authority in each EU Member States and may be available as an alternative mean of authorizing transfers of personal data (e.g., customer databases, HR information, etc.) outside of EU.
What if I get it wrong?
Don’t! The GDPR introduces fines for non-compliance of up to 4% of total worldwide annual turnover for undertakings, or €20mn, whichever is greatest.
Notice: The text provides a simplified and concise overview of EU’s new GDPR. It should not be considered legal advice or used as a guideline for the adoption of the regulations introduced by EU. LAMDA HELLIX cannot be held liable for any consequences that could occur due to failed compliance with GDPR.