Share this article on:
What does ‘GDPR Compliance’ mean?
GDPR compliance is due to become obligatory for every business or organisation, or company which gathers, stores or utilises the personal data of citizens throughout the European Union in May 2018. The application of the General Data Protection Regulation (GDPR) together with the need for GDPR compliance that will follow, will significantly impact the manner in which data protection is dealt with throughout Europe.
In order to respond to the question “What does ‘GDPR Compliance’ mean?”, it is necessary to explain, to those who may be unfamiliar with the terms, what the difference between a European Union Directive and a European Union Regulation is; an EU Directive is a general set of guidelines on which EU member states may base their own domestic laws around (with some flexibility as to the precise terms), whereas an EU Regulation is legislation that applies throughout the entire European Union, meaning that all member nations are obliged to comply with Regulations and they are enforceable by law.
The General Data Protection Regulation (GDPR) is, as its name would suggest, an EU Regulation. The 1995 EU Data Protection Directive will be replaced by the GDPR which serves to create standard data protection laws across the EU. Businesses and companies that operate in numerous EU member states will now be obliged to work within a uniform set of rules which resolve issues that were impossible to foresee when the 1995 Directive was drafted, e.g. data processing in context of “cloud” technology.
Essential Aspects of the New Data Protection Rules under GDPR
The GDPR data protection rules comprise a precise clarification of what is legally recognised as personal data, the rights of citizens to be informed as to how their personal data is used, what personal data can be gathered, and how each individual´s informed consent must be obtained in order to collect, maintain or use that personal data.
The new definition of “personal data” will impact every organisation or company that employs cookies on their websites. The GDPR data protection rules recognise “online identifiers”, including pseudonymous identifiers, as personal data. Furthermore, identifiers now considered to be personal data include race or ethnicity, religion or lack thereof, together with genetic or biometric data.
Those who review their GDPR compliance procedures are advised to keep records of the manner in which they obtain individuals’ informed consent. An individual must give consent via a recordable affirmative action if their personal data is be gathered, stored or used. Each person must be informed prior to giving consent what the data is intended to be used for and they must also be made aware of their right to later withdraw consent.
The Rights of Individuals and GDPR Compliance
Any body which collects, maintains or uses an individual´s personal data but neglects to first acquire the informed consent of those persons, or does not delete destroy their record of the data concerned after an individual has withdrawn their consent – breaches the GDPR. There are numerous other rights of individuals that must be taken into account by companies or organisation when they review their GDPR compliance. These rights of individuals include:
- The right to view or consult stored personal data.
- The right to amend any errors in their personal data.
- The right to be informed as to how personal data will be used.
- The right to be informed as to how long their personal data will be stored.
- The right to be informed who their personal data is being shared with.
- The right “to be forgotten”, i.e. to have any stored personal data permanently deleted.
- The right to be informed as to the source of their personal data in circumstances where informed consent was not in fact given.
N.B. This is not an exhaustive list!
Businesses and companies will need to review their data gathering, storage and processing mechanisms to guarantee that personal data can be isolated, extracted and permanently deleted when required in order to comply with the GDPR rules for the rights of individuals. Methods of verifying the identity of individuals who wish to exercise their GDPR rights will also have to be put into action.
Data Protection Officers and Ensuring Compliance with GDPR
Included in the GDPR data protection rules are a number of measures which must be taken in order to ensure GDPR compliance. Simply put, the “accountancy principle”must be complied with; i.e. companies or organisations must provide transparent privacy policies, and carry out GDPR data protection impact evaluations to identify any potential risks to the security of personal data.
The implementation of procedures to rectify any risks to the integrity of personal data and the application of comprehensive governance measures to guarantee that those procedures are adhered to will be required. Depending on circumstances, it may be necessary to carry out GDPR compliance training and large businesses or companies might have to appoint a Data Protection Officer.
A Data Protection Officer’s role is to act as a counsellor and to monitor GDPR compliance. The officer will be in charge of managing internal data protection activities, offering advice on GDPR data protection impact evaluations, the training of staff and carrying out internal audits. Furthermore, the Data Protection Officer will be the first point of reference for Data Protection Authorities (discussed in detail below) and those individuals who may wish to exercise their GDPR rights.
European Union Penalties following GDPR Non-Compliance
The majority of European Union member states already have their own Data Protection Authorities in place. Their duty is to ensure that national data protection laws are complied with and, where there has been failures to do so, to impose penalties for unauthorized use of personal data. Following the introduction of the GDPR, these Data Protection Authorities will have the power to conduct GDPR compliance audits and impose penalties for any non-compliance found. This will even include circumstances where a breach of personal data has not in fact occurred.
Non-compliance with GDPR attracts a wide variety of penalties depending upon the type of violation, the number or size of records disclosed without authorization, and the action taken by the body in question in order to minimize the breach of personal data. Maximum penalties (which can in fact include accidental disclosure) for GDPR non-compliance are considerable:
- Non-compliance with GDPR security standards may result in a €10 million or 2% of global annual turnover fine – whichever is greater.
- Non-compliance with GDPR privacy standards may result in a €20 million or 4% of global annual turnover fine – whichever is greater.
Additional Penalties for Failure to Comply with the GDPR
Additional penalties for lack of GDPR compliance may be imposed in circumstances where a company has failed to notify its Data Protection, Authority within seventy-two hours, of the discovery of any unauthorised exposure of personal data. Moreover, the company may potentially be charged with a criminal offence or offences depending on the national law of the EU state concerned.
If the exposure of personal data has the possible or probable consequences of the individual(s) concerned falling victim to identity theft, fraud, financial loss, discrimination, injury to reputation or other economic or social disadvantage, the breach must also has be notified directly to the individual(s). This may result in a personal compensation law suit being made against the offending organisation.
One exception to the obligation to inform individuals (but not in fact the Data Protection Authorities) exists in circumstances where the exposed personal data had been encrypted, therefore rendering it unusable by the person or persons who gain access to it. In such an event, the Data Protection Officer would have to show to the Data Protection Authority that the data concerned had been kept securely before the breach.
Resume of the GDPR
- The European Union General Data Protection Regulation (GDPR) will apply from the 25th May 2018 and concerns every company or organisation, inside or outside of the EU, that gathers, stores or maintains the personal data of citizens of European Union member states.
- Concerning what is defined as “personal data”, any characteristic that could potentially identify or point out an individual is understood to be personal data. Numerous online identifiers such as cookies are included in this definition.
- An “affirmative action” to give informed consent for the gathering, storage and/or use of personal data must be made by the individuals concerned. The way in which informed consent is given must be recorded and saved by the body which gathers the information.
- Individuals have wide-ranging rights over how their personal data is gathered, held or used. This includes a right “to be forgotten”. In order to prevent GDPR fraud from occurring, systems must be put in place.
- Institutions are obliged to implement privacy policies that are clear and transparent. They must also carry out risk assessments and initiate procedures to guarantee the integrity of individuals’ personal data. On occasion employment of a Data Protection Office might be a necessity.
- A penalty for failing to comply with GDPR may be enforced even when no breach of personal data has in fact happened. The severity of the penalty is dependant on what actions were taken to minimize the unauthorized exposure of the individuals’ personal data.
- Companies need to inform themselves about the GDPR Breach Notification Rule and the sanctions which may be applied as a consequence of failing to notify the authorities within 72 hours.
Please note that this resume of GDPR is intended to provide a simple overview of the issues discussed within it. Reasonable precautions have been taken in order to ensure that the content is based on the facts that were available at the time of publication. No responsibility for mistakes or omissions in this GDPR summary will be taken by us. Those concerned about GDPR compliance should take legal advice from a professional as soon as possible.