Monday 26 February 2018
The EU GDPR also known as « European Union’s General Data Protection Regulation » is the most advanced data protection law when it comes to the rights of internet users and the possession as well as the use of their personal data.
Contrarily to what many people think the GDPR is not new and was established in 1995, yet, the evolution of technology, as well as the one of data treatment, have created the need for a major update.
While, in 1995, the GDPR created a set of rules that every internet-related company had to follow it did not foresee how events would go. Therefore the rules had to be updated to match today’s world.
Geographical and commercial limits
While originally the GDPR was limited to the territory of the European Union, its geographical approach has drastically changed
The GDPR has been granted an Extended jurisdiction not applying solely to the companies processing data which head office or subsidiary was located on the territory of the EU but also to extra-territorial operators collecting and processing data belonging to residents of the EU.
Under its previous form, the territorial applicability of the directive was ambiguous and referred to data process ‘in context of an establishment’.
This topic has arisen in a number of high profile court cases. GPDR makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.
The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens and residents (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU.
Non-EU businesses processing the data of EU citizens will also have to appoint a representative in the EU.
What are the key points of this regulation
- Territorial coverage
- Extension of the data owner rights
- Engulfment of pre-existing data-related legislation
As previously mentioned, the new GDPR is expanding its territorial coverage outside of the EU territory by changing the terms of the law from a defined geographical area, to the population living inside a geographical area, this technically means that regardless of where your company is operating from, if it collects and processes data of people residing within the European Union territory, it has to abide by the regulations stated by the GDPR.
The data owner (also known as Data subject) also sees its rights being extended, the following elements form part of this extension:
- Breach Notification
- Right to access
- Right to be forgotten
- Data portability
- Privacy by design
- Data protection officer
The Breach Notification is a new fundamental right granted by the updated General Data Protection Regulation that stipulates that in the event of a breach of the security measures deployed to protect the personal data of the data subject, the operator collecting and/or processing the data that may “result in a risk for the rights and freedoms of individuals” shall issue a Breach notification within 72 hours after the breach is first discovered and inform its users “without undue delay” from the moment it discovers that breach
Right to access
The Right to access is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.
Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to transparency and empowerment of data subjects.
Right to be forgotten
The Right to be forgotten, also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.
The Data portability is the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine-readable format’ and have the right to transmit that data to another controller.
Privacy by design
The Privacy by design calls for the inclusion of data protection from the onset of the designing of systems, rather than an addition. ‘The controller shall implement appropriate technical and organisational measures in an effective way in order to meet the requirements of this Regulation and protect the rights of data subjects’.
Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
Data protection officer
The Data protection officer is a representative of the controller that shall be appointed by the company as the first point of contact for data protection-related issues and queries.
DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
How does it impact your business?
You are an EU company:
In theory as an EU company, it is most likely that you partially apply these rules, however, if you have a website you may want to inquire with the dedicated authorities.
In the event you use a CMS like WordPress for your website, you will be able to find quite a few plugins allowing to upgrade your website to be GDPR compliant. Click here to access a list of them.
You are a Non-EU company:
If you are a non-EU company collecting and/or processing data belonging to data subject residing in the EU you should ensure that you are fully compliant with the GDPR.
In addition as a non-EU business, you will have to appoint a representative residing in the European Union with regards to GDPR purposes.
The GDPR was approved by the EU Parliament on 14 April 2016 and will enter into force on 25 May 2018
Here is a quick action list you may want to consider:
- Take legal advice
- Define a list of actions to undertake
- Define a deployment plan
- Activate the changes
- Ensure compliance
Non-compliance will result in a fine reaching a maximum of 4% of the global turnover or €20 million whichever the highest. We, therefore, suggest you take the issue very seriously
If you need a compliant site design visit our page about website development.