HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Overview of the GDPR

The content of the General Data Protection Regulation, or GDPR for short, was confirmed as long ago as 2015. It is due to become law on the 25th of May 2018, from which date the details outlined in this GDPR overview become applicable. From then on, a business or an organisation which falls under the remit of the GDPR, and yet fails to comply with it, may face the imposition of significant fines or other sanctions. The magnitude of any fine under the GDPR will be a decision for the appropriate Data Protection Authority (DPA). While the different member states of the EU will have their own DPAs, it is anticipated that there will be ongoing discussion between the various DPAs, so as to make sure that there will be some degree of consistency throughout the European Union.

Consistency was one of the main motivations for the introduction of the GDPR. Another key reason is to offer EU citizens greater control over how their personal data is used.

What are the main consequences of the GDPR for companies and organisations?

As noted above, failing to comply with the requirements of the GDPR may lead to the offending party facing a large fine. The maximum imposable fine is €20 million Euros, or if it is higher, 4% of the company’s annual turnover. It is improbable that a fine of this severity will be regularly imposed – and it may not happen at all – however onerous fines are indeed likely in circumstances where parties are not GDPR compliant.


    GDPR Compliance Checklist
    for American Companies

    Immediate Access
    Privacy Policy

    Business people should be aware that that the GDPR is not solely applicable to companies or organisations which are located in member states of the European Union. Businesses which process the personal data of citizens of EU member states are obliged to be GDPR compliant irrespective of where on the globe they are based. Obviously, it would be feasible for a business to make sure it complies with the GDPR when processing the data of European citizens and use another system (or systems) for data relating to non-EU subjects. In practice, however, employing numerous processes and procedures for different groups of clients may prove to be a logistical nightmare. For this reason, the vast majority of businesses will, in all likelihood, adopt GDPR compliant procedures with respect to all of the personal data they process.

    Does every business need its own Data Protection Officer?

    Every business must evaluate whether or not it is required to appoint its own Data Protection Officer, usually referred to as a “DPO”. The GDPR requires that any company which processes personal data (including the regular and systematic monitoring of its data subjects, or large scale processing of sensitive personal data) must have its own DPO in place.

    This requirement is not as restrictive as what was initially suggested. Nonetheless, it is significant that EU nations can impose their own particular requirements when it comes to the definition of a DPO. Businesses should also be aware that having a DPO in place is often beneficial for them. A DPO should possess the experience and sufficient expertise to assist the business in making sure that it is GDPR compliant. Interestingly, the GDPR includes no stipulations as to what qualifications, if any a DPO is required to have. The regulation does state, however, that DPOs ought to have detailed knowledge of the GDPR, and be capable of implementing adequate data protection processes and procedures. All businesses need to take care that anyone appointed to this position has the required knowledge and skill set.

    The obligation to report all data breaches

    Any summary of the GDPR is sure to include information concerning the obligation to report data breaches. A data breach must be notified to the relevant DPA within a maximum of 72 hours, other than in circumstances where the breach will not put at risk the rights of the individuals whose data is concerned. It is essential to realise that the ‘clock’ on the 72 hours time limit begins ‘ticking’ as soon as the affected organisation could reasonably be believed to know that a data breach had been sustained.

    Data subjects also have a right to be promptly informed that their data has been compromised following a breach. The reporting method is dependant upon the degree of risk entailed; e.g. should action have been (successfully) taken by the controller to mitigate against the risk, or if the data concerned was encrypted, the business involved may only be required to make a public announcement acknowledging the breach.

    Summarising the question of consent under the GDPR

    The notion of consent is a particularly important aspect of the the GDPR. First of all, it is important to clarify that it is not obligatory in all circumstances to obtain consent to be able to process an individual’s personal data; a limited number of other legitimate legal reasons for such processing exist. In circumstances where your data processing is based on having consent, however, you need to make sure of the following:

    • Data subjects gave explicit and informed consent.
    • Personal data is used exclusively for the reason for which consent was given.
    • Consent is provided independently of additional information, e.g. detailed terms & conditions.
    • The consenting person has taken a positive action to provide his or her consent, i.e. pre-checked tick boxes cannot be used to obtain legal consent.

    When relying on consent to process personal data, your business needs to be capable of proving that it has the relevant consent, and to confirm the manner and date on which it was given. It is important, therefore, to keep a detailed record of this type of information.

    It must be simple and practical for a data subject to cancel their consent at a later date. To take a simple example, if an individual has given their consent to be on the mailing list of a regular newsletter from your company, you must guarantee that they have the possibility of opting out of that mailing list at any given time, and can do so with relative speed and ease. As soon as a data subject has opted out, you must cease to hold or process any part of the personal data they had previously provided. Some exceptions may apply however, but note that to continue processing data after the withdrawal of consent you will need to be able to demonstrate a legitimate legal basis for doing so.

    The data subject’s right to be forgotten under GDPR

    It has long been public knowledge that the GDPR will give data subjects a right to be forgotten. From the 25th of May 2018, an individual may request that any personal information about them that is held by a company or organisation be deleted. It is not, however, the case in all circumstances that the said information has to be deleted. There may be a legitimate judicial reason for maintaining or even continuing to process it; e.g. an ongoing legal dispute or perhaps because the information is still needed as it forms part of a contract between the data subject and, as the data controller, your company.

    Without a satisfactory reason for holding on to the data, it should be deleted as per the request. Businesses (again, in the absence of another legitimate reason) should also delete any data that is no longer being used for its initial purpose. From a security perspective, such deletion is an advantage; the smaller the amount of personal data a business processes, the lower the risk in the event of a data breach.

    Data Protection Impact Assessments

    An essential aspect of GDPR compliance is the need to identify high risk data and processing activities. This concerns instances when the genre of data being processed, or indeed the type of processing itself, poses a significant risk to the rights of the data subjects implicated. Data Protection Impact Assessments, or DPIAs, are used to assist in evaluating the risk level, and potential impact, connected to the data. Where a high level risk has been identified, the business must mitigate against it. In circumstances where it appears that mitigation is impossible, the business must refer to the DPA for advice prior to processing the data.

    The new right of data portability under GDPR

    A new right that citizens of EU member states will enjoy under the GDPR is that of data portability. This is the right of data subjects to obtain a copy, in a format that is electronic and machine readable, of all personal data relating to them that is in the possession of the relevant company or organisation. Clients of the business may then transmit this data to anyone they like, including its competitors.

    Change to subject access requests under GDPR

    Subject access requests (SARs) have existed for a number of years, however the rules concerning them are modified by the GDPR. An SAR must be responded to within a maximum of forty days. In circumstances where the SAR is especially complex, the 40-day limit may be extended further by anything up to two months. Additionally, it is no longer allowed to charge data subjects a fee for responding to an SAR, other than in circumstances where the request is deemed to be without basis or is excessive.

    With any luck, you will have found this overview of the GDPR interesting and helpful in preparing your business for the regulation’s introduction. GDPR Compliance is essential. Therefore if you have any worries or queries about the GDPR it is advisable to consult the documentation provided by your local DPA, for more detailed information and support.