A Simple Guide to Complex GDPR Legislation
General Data Protection Regulation (GDPR) – a single law
In Varietate Concordia: translated as Unity in Diversity, the official motto of the European Union, encapsulates the hopes that Europeans can be united in working together for peace and prosperity. This sentiment is at the heart of all developments – from the abolishment of passport controls within the Schengen Area through to its recent plans for a Digital Single Market.
And it is once again present in the European Commission’s attempts to unify data protection within the EU through the General Data Protection Regulation (GDPR) – a single law, applicable to all 28 member states, which aims to build trust within the region and bring data protection up to date in light of new technological developments such as cloud, social and mobile.
In the past, European countries have adopted different approaches and interpretations to data protection making it difficult for non-EU organisations to demonstrate compliance easily – often leading to confusion among citizens. A new single harmonized Data Protection Regulation will go a long way to resolve these issues, making it easier for non-EU companies to operate in a single European market and providing increased confidence for its citizens.
There is a constant tension between the ability to do increasing amounts of business online and the right to privacy, with consumer data being properly safeguarded. GDPR attempts to define where that balance should be, identifying a number of rights for citizens and a number of responsibilities that organisations must adhere to.
Although GDPR is still being finalised and thus its final composition is yet to be determined the Regulation is expected to enshrine a number of key principles:
- The Right to be Forgotten – following a recent court ruling in Spain, this right enshrines the principle of a data subject (typically an individual citizen) has the right to request that personal data held on them inappropriately must be erased.
- Consent – it must be made clear whenever an organisation wishes to collect and use citizen data, with organisations expected to be able to prove that consumers have opted in.
- Data Portability – citizens are expected to gain the right to request a copy of all personal data being processed on them.
And with these rights come a number of responsibilities for organisations:
- Data Breaches will need to reported to authorities as soon as they are detected;
- A Data Protection Officer will need to be appointed and interface with the national supervising authority;
- Failure to comply with the new GDPR could in extreme cases result in a fine of up to 5 per cent of the company’s annual worldwide turnover.
Personal data of EU residents
Crucially, for citizens, the GDPR applies to ANY organization processing personal data of EU residents – even if they are based outside of the European Union. This means anything from a name or email address to a photo posted on a social media site. It is particularly applicable to sensitive data such as medical records or bank details. And one of the biggest differences is that this is a Regulation, not a directive, meaning that every EU member state will be bound by it after a two-year transition period and does not require any further legislation to be passed by Governments.
Next time I’ll be looking at the key challenges facing General Data Protection – from the regulation’s implementation and enforcement, through to the issues for organizations looking to comply…