The European Union has a new privacy law. And it’s more stringent than ever. The European Union General Data Protection Regulation (GDPR), which comes into force on 25th May 2018 presents the most comprehensive and ambitious piece of regulations on data protection and privacy.
How does GDPR affect you?
GDPR affects all businesses that process personal data of persons that are in the European Union irrespective of the location of these businesses. GDPR has an extra-territorial application. If if you are a company/business and have customers/clients in the European Union or if you collect personal data of persons in the European Union, you need to be GDPR compliant by 25th May 2018 or face a hefty penalty for failure.
GDPR rules apply to both, data controllers as well as processors. For example, take a case of A (data processor) who hosts a cloud-based application that is used by B, C, D (subscribers) which in turn collect personal data from data subjects located in the European Union through the application. Both, the A (data processors) and B, C, D(data controllers) are subject to GDPR. A controller is an entity that determines the purposes, conditions, and means of the processing of personal data, while the processor is an entity which processes personal data on behalf and under the directions of the controller.
What is Personal Data?
Any information related to a Natural Person (“Data Subject”) that can be used to directly or indirectly identify the person. Personal data may be called ‘personal information’ or ‘personally identifiable information’. It can be anything from a name, photo, an email address, an identification number, phone, bank details, location data, medical or genetic information, posts on social networking websites, a computer IP address or an online identifier or to one or more factors specific to the physiological, genetic, mental, economic, cultural or social identity of that Natural Person.
Important Compliances in GDPR
- When collecting personal data, persons must give consent in an intelligible and easily accessible form by using clear and plain language. Persons also have a right to withdraw their consent. Special provisions in case of persons below the age of 16.
- Persons have rights to access their information, right to data erasure, right to data portability and the right to be notified in case of a data breach. All of these rights should be communicated as well as incorporated into the design of the application.
- Privacy by design concept is the core of GDPR. It means that data protection should be included from the onset of the designing of systems, rather than an addition at a later stage. For example, privacy by design may entail that the system supports encryption of personal data. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limiting the access to personal data to those needing to act out the processing.
- Appointment of Data Protection Officers (DPO) in certain cases.
What are the penalties in case of non-compliance?
Fines and penalties are imposed by Supervisory Authorities after taking into consideration many factors including the nature and gravity of the infringement. In addition to this EU Member States can also lay down and impose fines.
Infringement or non-compliances of specific provisions of GDPR may entail an administrative fine up to 20,000,000 EUR or up to 4% of annual global turnover. This is the maximum fine that can be imposed for the most serious infringements.
Please contact Legawise for assistance in assessing whether or not your organization needs GDPR compliance and in devising a solution that best fits your organization’s needs.