After over four years of discussion, the EU’s General Data Protection Regulation (GDPR) was adopted on April 27, 2016 and became effective on May 25, 2018. The GDPR replaces the EU’s Data Protection Directive (95/46 EU) which has served as the main instrument of the EU for almost two decades. GDPR is directly applicable to all EU Member States without the need for implementing national legislation.
With over 200 pages long, GDPR is one of the most wide ranging pieces of data protection and privacy legislation passed by the EU in recent years, and the concepts introduced such as the right to be forgotten, data portability, data breach notification and accountability, among others, require strategic and timely implementation efforts across the enterprise.
This page provides a high level overview of the GDPR and its key requirements that companies will need to comply with and ensure their proper implementation to meet their compliance obligations. GDPR also applies to all international companies which collect and process EU consumer data in their European business operations.
Identity Management Institute offers a comprehensive GDPR video training course which focuses on the regulatory compliance requirements and provides specific action steps in each section that students can apply to ensure GDPR compliance within their organizations.
The GDPR imposes a high duty of care upon controllers in selecting their personal data processing service providers which will require procurement processes and request for tender documents to be regularly assessed. Contracts must be implemented with service providers which include a range of information (e.g. the data processed and the duration for processing) and obligations (e.g. notification when a security breach occurs, pseudonymization, encryption measures and audit obligations). Where a service provider hires a sub-processor, that entity must also comply with GDPR .
Scope and Definition
An EU based data controller and processor falls into the scope of GDPR where personal data is processed in the context of its activities. The GDPR applies to data from which a living individual is identified or identifiable (by anyone), whether directly or indirectly, including online identifiers, device identifiers, cookie ID, biometric data, and IP addresses.
The GDPR also applies to data controllers and processors outside the EU whose processing activities relate to the offering of goods or services (even if for free) to, or monitoring the behavior (within the EU) of, EU data subjects. This means in practice that a company outside the EU which is targeting consumers in the EU will be subject to the GDPR.
- A data subject’s consent to the processing of their personal data must be freely given, specific, informed, and unambiguous, shown either by a statement or a clear affirmative action which signifies agreement to the processing. Consent cannot be assumed due to inaction.
- The enterprise will be required to demonstrate that consent was given. It should be noted that further guidance of the GDPR emphasizes that “consent is not freely given if the data subject had no genuine and free choice and is unable to withdraw or refuse consent without detriment.”
- Existing consents remain valid, provided they meet the new conditions.
- Where personal data is processed for direct marketing, research or statistical purposes, the data subject will have a right to object. This right will have to be explicitly brought to their attention.
The GDPR places accountability obligations on data controllers to demonstrate compliance. These include accountability measures such as: Privacy Impact Assessments, audits, policy reviews, activity records and (potentially) appointing a data protection officer (“DPO”).
Privacy by Design
With regard to Privacy by Design, the enterprise will need to ensure implementation of technical and organizational measures to show that they have integrated data compliance measures into their data processing activities, such as adopting policies that ensure compliance with data minimization obligations. This is one main reason that Data Protection Officers must have expertise in technical and administrative data protection controls.
Enforcement & Administrative Fines
- Infringements regarding obligations of the controller and the processor (e.g. third party service providers) may be subject to administrative fines of up to €10 million, or 2% of worldwide annual turnover—whichever is higher.
- Infringements regarding the basic principles for processing, data-subject rights, transfers of personal data, or non-compliance with an order by the supervisory authority may be subject to administrative fines of up to €20 million, or 4% of worldwide annual turnover— whichever is higher.
- GDPR grants data subjects a private right of action.
The enterprise will be required to provide information to individuals about the processing of their data, including but not limited to, identity and contact details of the controller, purpose of processing and legal basis, data recipient(s), details of the data transfer outside the EU and retention.
Data Breach Notification
Data processors must report personal data breaches to data controllers. Data controllers must report personal data breaches to their supervisory authority and in some cases, affected data subjects without undue delay and, where feasible, within 72 hours of awareness. A reasonable justification must be provided if this timeframe is not met.
Notification does not need to be made to the relevant authority if the breach is unlikely to result in a risk to the rights and freedoms of individuals. The threshold for notification to data subjects is that there is likely to be a “high risk” to their rights and freedoms.
Data Protection Officers
In certain circumstances, the enterprise may need to designate a Data Protection Officer (DPO) as part of its accountability program, but it largely depends on the type and volume of data being processed. The threshold is:
- Processing is carried out by a public authority;
- The core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring of data subjects on a large scale; or
- The core activities consist of processing on a large scale of special categories of data.
Apply to become a Certified in Data Protection (CDP) professional and demonstrate a comprehensive knowledge of data privacy and security in all areas of IT and operations.
Right to Erasure/Right to be Forgotten
Data subjects have the right to request the controller to erase his or her personal data without undue delay where:
- The data is no longer necessary for the purposes collected;
- The data subject withdraws consent;
- The data subject objects to data processing.
Where the controller has made the data public, the controller shall take reasonable steps to inform the controller processing that data of the erasure request.
Right of Access
An individual has the following rights with regards to a data controller:
- to obtain confirmation whether his/her personal data are being processed;
- to access the data (i.e. provide a copy); and
- to be provided with supplemental information about the processing.
The controller must comply “without undue delay” and “at the latest within one month”, with limited exceptions.
The GDPR requires data controllers to implement policies and procedures to ensure compliance, including but not limited to, the following:
- appoint a DPO (if required);
- maintain internal records of GDPR compliance;
- provide GDPR training;
- Implement robust information security measures;
- privacy by design and data protection impact assessment (if required); and
- register processing activities with the relevant data protection authority.
International Data Transfers
GDPR contains essentially the same toolkit as previously available for international data transfer to counties not deemed to have adequate data protection measures, including but not limited to, model contract clauses and binding corporate rules. The GDPR does nothing to resolve the issues around the European Court of Justice’s invalidation of US-EU Safe Harbor, which was one of the primary mechanisms utilized to transfer data from Europe to the U.S.
An independent European Data Protection Board (EDPB) replaces the Article 29 Working Party. Its obligations include issuing opinions/guidance, ensuring consistent application of the GDPR and reporting to the European Commission. EDPB and national supervisory authorities have been granted investigative and enforcement powers.
Certified in Data Protection® (CDP) is a comprehensive global training and certification program which leverages international security standards and privacy laws to teach candidates about the best data protection practices during the entire data management lifecycle.
Data protection professionals are increasingly required to be experts in privacy regulations as well as technical and administrative security controls. Data privacy and security are interdependent and the CDP® program offers one of the best consolidated training programs that teaches candidates about privacy and security concepts. Learn more about the CDP program.