Beginning in the 1980’s with the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108), European governments sought to establish a legal regime governing data and data flows. This ultimately found their expression in the 1995 Data Protection Directive (95/46/EC) that governs privacy in Europe today although is implemented through individual national legislation.
From 2012 to 2016, the European Commission began working on a comprehensive reform that became the EU General Data Protection Regulation that was finalized in 2016 and becomes effective May 25, 2018 uniformly across the EU. (A countdown clock has been added to the sidebar of this blog.)
Who Does it Apply To?
The test for whether the GDPR applies is not whether you have operations in the EU, but whether your business:
- Offer products and/or services to EU residents;
- Monitor the behavior of EU residents; or
- Handle the personal data of an EU resident.
The GDPR Principles In Brief
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject.
The GDPR imposes an opt-in requirement. Data subjects must be able to access and/or change their data or even request its deletion. Transparency also requires adequate notice of data collection policies.
Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed. Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
The GDPR limits the collection of data to the amount and duration that is necessary for the purpose collected.
Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
The GDPR provides that personal data should be anonymized where possible, otherwise encryption or other technical controls must be employed to protect the data.
Data processors must be able to demonstrate compliance with the GDPR. Companies that systematically collect/process personal data must appoint a data protection officer (“DPO”). In addition, any data breach must be reported within 72-hours.
Accountability is also driven by substantial penalties. Breaches of principles addressing lawfulness, fairness and transparency; accuracy and purpose limitation; and data minimization and storage limitations can yield fines up to €20 million ($23.68 million) or 4% of total worldwide revenue of the preceding year (whichever is higher); whiles the fines are half that for breaches relating to data integrity, confidentiality, and accountability.
Individuals are given the right to lodge a complaint with privacy regulators and to have an effective judicial remedy and compensation for material or immaterial damage that results from any violation.
With five months remaining before the GDPR becomes effective, now is the time to conduct an audit to determine whether your company is subject to the GDPR and steps needed to come into compliance.