GDPR In a Nutshell

07 April 2018

• data protection
• GDPR
• PRIVACY

The regulation is not merely for the 28 EU-member states (27 after Brexit). It is for the 31-member states of the European Economic Area (EEA), which includes the 28 EU member states plus Iceland, Norway, and Lichtenstein. GDPR is being integrated into the 1992 EEA Agreement.

And not only does it affect EEA nations, but any organisation across the globe offering goods or services to European data subjects OR, organisations controlling, processing, or holding personal data of European nationals are also captured.

While GDPR will bring harmonisation across the 31 EEA nations, the new provisions make European data protection law even more different from the laws of 'third countries', presenting a big challenge for international business and litigation.

For example, US courts have interpreted certain privacy rights from amendments to the Constitution, including the first 10 amendments, known commonly as the Bill of Rights. By comparison, Europe places a greater importance on privacy, and is a fundamental right under article 8 ECHR.

Controller and Processor To determine how GDPR affects you, either as Controller or Processor, Article 4 of the GDPR provides the following definitions:

A controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

A processor is “a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.”

Article 5 provides that data controllers assume responsibility for and must demonstrate compliance with the principles for handling personal data, while article 24 mandates that controllers implement technical and organisational measures to ensure GDPR compliance. However, what is meant by ‘technical and organisational measures’? Well, it is certainly open to interpretation, and one for the lawyers to mull over.

Article 28 provides that processors may not engage another data processor, i.e. a sub-processor, without permission of the data controller. Processors must also implement proper controls. Article 83 provides that GDPR fines apply to both controllers and processors.

GDPR Fines One of the biggest and well-publicised effects of GDPR are in the form of substantial fines of up to 4% of global turnover or 20 million Euros, whichever is greater.

Consent Data controllers must be able to show data subjects gave consent for the handling of their data, and the consent must be obtained with clear and plain language. Moreover, consent must be as easy to withdraw as it was to obtain.

Notification of Data Breaches The relevant supervisory authority (in the UK, this is the ICO) must be notified within 72 hours of a data breach where the breach is likely to “result in a risk to the rights and freedoms” of individuals.

Rights of Data Subjects including:

Right to Erasure The existing Data Protection Act refers to this as the “right to be forgotten”. Data subjects have the right to have information about them “erased.”, however this right is not absolute and should be balanced between the individual’s rights and the public interest in the data.

Right to Access Controllers must explain clearly to data subjects whether, where, and for what purpose their data are being processed. In addition, controllers must provide data subjects electronic copies of their data free of charge and can only charge a fee where there are mass numbers of copies required by the subject.

Data Protection Officers All public bodies and entities conducting regular monitoring of data subjects on a large scale or processing conviction information will have to have them. What is meant by ‘large scale’ is again, open to legal interpretation. The DPO’s responsibilities include advising controllers and processors of GDPR requirements and monitoring compliance.

Preparation for GDPR ISO 27001 certification will focus the mind of business’ decision-makers to examine the information security threats and vulnerabilities, develop and implement security controls, and continue to monitor potential security threats.

Engaging a DPO will help to fill the void between owner, managers and stakeholders, and be the point of contact as well as taking responsibility for ensuring the risk management framework of the business is proficient with the challenges of GDPR.

Training and consulting firms such as the International Association of Privacy Professionals (IAPP) can provide guidance.

Build a Data Map: Under the GDPR, having a map of exactly what data you have and where that data reside is critical. If your data is flowing outside the EEA or the nations deemed to have adequate data protection standards, you need to know and take appropriate safeguards.