Legal Disclaimer: This document is a broad overview of the forthcoming EU General Data Protection Regulation (GDPR) and does not provide legal advice. We urge you to consult with your own legal counsel to familiarize yourself with the requirements that govern your specific situation.
Data protection and compliance is becoming the topic de-jour amongst Audit Committees, Regulators, Auditors and compliance folks. One of the newest regulations that attempts to deal with the problematic area of data security is the EU’s General Data Protection Regulation (“GDPR”) set to take effect on May 25, 2018.
Going into 2018, we thought we would shed some light on this new regulation with a short primer. Here are 11 basic points about GDPR gleaned from the software giant Salesforce’s excellent article on the topic.
1. What is the GDPR?
The EU General Data Protection Regulation (“GDPR”) is a new comprehensive data protection law that updates existing EU laws to strengthen the protection of “personal data” (any information relating to an identified or identifiable natural person, so called “data subjects”)
2. Does the GDPR affect my organization?
3. Security Measures
The GDPR requires Controllers and Processors to implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented.
4. Breach Notification
The GDPR requires organizations to report certain personal data breaches to the relevant data protection authority, and in some circumstances, to the affected data subjects.
5. Data Protection Impact Assessments
Where certain processing is likely to be classified as “high risk” to data subjects, the Controller may be required to carry out a data protection impact assessment identifying the impact of the proposed processing operations on the personal data.
6. International Transfers
European data protection law restricts the transfer of personal data outside of the EU unless there are appropriate safeguards in place to protect that data.
Consent is subject to additional requirements under the GDPR. The GDPR defines consent as “any freely given, specific, informed and unambiguous indication of a data subject’s wishes through a statement or clear affirmative action”.
The GDPR requires that Controllers provide data subjects with information about their processing operations at the time when the personal data are collected.
The GDPR introduces the concept of “profiling” or any form of automated processing that uses personal data to evaluate personal aspects and in particular to analyze or predict aspects relating to an individual’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. Data subjects must be informed of the existence of profiling and any consequences of the profiling.
Fines for non-compliance under the GDPR can be substantial. Data protection authorities have a number of enforcement powers under the GDPR, including the ability to fine organizations up to €20 million or 4% of annual global turnover, whichever is higher. These are maximum fines and it remains to be seen how regulators will use their newly-acquired enforcement powers.
11. “One Stop Shop”
Under the GDPR, organizations that are established in more than one EU member state or are processing personal data affecting data subjects in more than one EU country will have greater clarity about their supervising data protection authority.
Separate Fact from Fiction as you prepare your organization to comply with the forthcoming EU General Data Protection Regulation (GDPR).