Introduction

This overview highlights the key themes of the General Data Protection Regulation (GDPR) to help organizations understand the new legal framework in the EU.

Relevance

  • Data Protection is a topic that can be analyzed from a risk perspective using the BowTie method.
  • Our partner P@ssport offers training courses for Data Protection Officers

Who does the GDPR apply to?

  • The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – ie the controller says how and why personal data is processed and the processor acts on the controller’s behalf.If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.

    However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

  • The GDPR applies to processing carried out by organizations operating within the EU. It also applies to organizations outside the EU that offer goods or services to EU citizens.
  • The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

Data Protection Officer

If data is your business, or your company employs more than 250 people, you need — along with all public authorities or bodies — to appoint a Data Protection Officer in order to comply with Article 35 of the EU Data Protection Regulation.

You have the choice of hiring a Data Protection Officer (DPO) or working with one on a contract basis. A group of undertakings may appoint a single Data Protection Officer. It is expected that the DPO will remain in the position for at least two years, and may only be dismissed if he cannot perform his duties.

Choose your DPO wisely. The DPO must have professional experience and expertise in protecting data and a deep understanding of the EU Data Protection Regulation. The required level of expertise is not strictly defined, but it must be commensurate with the sensitivity and quantity of data organization processes.

Although this isn’t stated in the Regulation, the DPO should be a clear and capable communicator. It’s not enough for him to know the Regulation; he also needs to be able to effectively share his knowledge. Additionally, the DPO needs to be skilled in using his understanding to develop and implement concrete data protection practices and should, therefore, be well-versed in the fine art of change management.

A DPO reports to management but is expected to work independently and without direction. His primary concern is protecting data and enabling compliance, not facilitating shortcuts or finding legal loopholes in the Regulation. The organization he is working with is expected to provide any necessary resources the DPO requires to perform his tasks, such as office space, staff, equipment, and any other necessary resources. He must be involved in all areas of data protection within the organization he works with and must be notified of all data processing and protection issues or concerns in a timely manner.

The DPO is, obviously, the person who directs and oversees all data protection activities within a company. He devises the policies and procedures that bring the organization into compliance with the Regulation, monitors the implementation of those policies, ensures that all staff is fully trained in regards to protecting data, assigns responsibilities and handles the public’s requests regarding their personal data. The DPO keeps management informed regarding their obligations under the Regulation, and is the primary contact point for supervisory authorities.

The DPO is also responsible for monitoring, notifying and otherwise communicating information about personal data breaches (as detailed in Articles 31 and 32), and documenting public and regulators’ requests regarding the removal, destruction, and accessibility of data.

Data breaches

Under the GDPR, the independent Data Protection Officer (DPO) will be under a legal obligation to notify the Supervisory Authority without undue delay and this is also still subject to negotiations at present. The reporting of a data breach is not subject to any de minimis standard and it is likely that the GDPR will provide that such breaches must be reported to the Supervisory Authority as soon as they become aware of the data breach (Article 31). Individuals have to be notified if adverse impact is determined (Article 32).

Sanctions

The following sanctions can be imposed:

  • a warning in writing in cases of first and non-intentional non-compliance
  • regular periodic data protection audits
  • a fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater (Article 83, Paragraph 4)
  • a fine up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher (Article 83, Paragraph 5 & 6)

Timeline

The regulation entered into force 20 days after its publication in the EU Official Journal on May 4th, 2016. Its provisions will be directly applicable in all member states two years after this date. It shall apply from 25 May 2018.

What information does the GDPR apply to?

Personal data

The GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear that information such as an online identifier – eg an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organizations collect information about people.

For most organizations, keeping HR records, customer lists, or contact details etc, the change to the definition should make little practical difference.

The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.

Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.

Sensitive personal data

The GDPR refers to sensitive personal data as “special categories of personal data”. For example, the special categories specifically include genetic and biometric data, where processed to uniquely identify an individual. Personal data relating to criminal convictions and offenses are not included, but similar extra safeguards apply to its processing.