The European Union (EU) adopting GDPR is one of the biggest changes in the data privacy regulation over the last 20 years. The regulation has fundamentally changed the way data is handled across different sectors ranging from banking to social sites. Over four years of debate and preparing the GDPR was finally approved by the EU parliament on 14th April 2016. The law was finally introduced on 25th May 2018 and all organizations functioning within Europe have to comply with GDPR.
The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC. It’s been designed for the following points:
- Standardize the Data Privacy law across Europe.
- Empower and protect all citizens across Europe.
- Restructure the data privacy approach most organizations follow across the region.
GDPR is restructuring the path many sectors follow to manage data. It also redefines the role of business leaders from CIOs to CMOs. Chief Information Officer (CIO) should ensure that all the regulations are tightly followed and device a consent management system while a Chief Marketing Officer (CMO) requires placing a system for effective data management.
The main aim of GDPR is to protect all the EU citizens from data breaches and privacy issues arising in today’s data-driven world. Although the previous principle still holds true many changes have been introduced in the regulatory policies. How different regulations will impact the organizations and key factors of GDPR,
Clarity on Jurisdiction
The biggest change in the regulatory landscape in data privacy comes with the expansion of jurisdiction. The regulation now applies to all companies functioning in Europe and dealing with European citizen’s data, regardless whether the company has any physical location in Europe. In the previous regulation, the law was applicable to all establishments situated within the physical borders of Europe. The area jurisdiction topic was greatly debated upon in the recent times; however, the EU has cleared the stance on the subject. The GDPR offers a uniform Europe-wide possibility for gathering, processing according to the instructions provided to the controller on a contract. It’s sufficient if either the controller or processor operates within the physical limitations of Europe. The processing of the data should take place within the context of activities for which they have been obtained.
Under the GDPR the processor-controller relationship, the processor is only allowed to process the data based on the instructions provided by the controller. The processor must comply with all the instructions and cannot engage a third-party to process the data in case the controller allows the processor to engage a third party processor.
GDPR has also set forth the conditions for the contract it must contain among other things, defining the type of personal data that will be processed, object and purpose of the data. With reference to data processing, the processor must maintain the record of different processing activities including the details such as name and contact details of each controller they have worked for, including the processing categories for which they are conducted for.
It’s also mandatory to maintain the record for the transfer of personal data to any third country. A controller should ensure that the processor has included sufficient technical and organizational measures to ensure data processing meets their requirements. The data controller is primarily responsible for data processing compliance, but it doesn’t mean processor is free from liability. If the data damages do happen both controller and processor will be held responsible for the damage and have to prove their sincerity. To know more about the GDPR Jurisdiction download our whitepaper.
Organization in the case of breach can be fined up to 4% of their annual global turnover or 20 million euros whichever is greater. This is the maximum fine to be imposed on serious regulations defying. Under less severe cases GDPR set forth a penalty of 10 million euros or 2 percent of the global turnover whichever is higher. The case law of the European court of justice defines, “the concept of undertaking encompasses every entity engaged in economic activity, regardless of the legal status of the entity or the way it’s financed.” Undertaking just doesn’t consist of a single corporate entity, but also several natural persons or corporate entities. Thus the whole group can be treated as one undertaking and its total worldwide turnover would be used to calculate the fine in case of GDPR violation.
The conditions for the consent are strengthened and organizations are not allowed to use long illegible terms and conditions which consist of all legal statements. The request for consent must be given in easy and intelligent language with the purpose of data processing. Clear and plain language should be used to explain the consent and the purpose of data. Withdrawing from the consent should also be easy.
Data Subject Rights Are:
1. Breach Notification: In GDPR, breach notifications are mandatory for all members. The data breach which might likely cause risks to the rights and freedom of individuals. This must be done within 72 hours of first becoming aware of the breach. Data processors are required to notify the customers, controllers, without any delay after becoming aware of the data breach.
2. Right to Access: Data subjects have a right to obtain the confirmation from the controller of the data whether the personal data concerning them are being processed, where and what is the purpose? The controller also needs to provide a copy of personal data free of charge to the subject in electronic format.
3. Right to be forgotten: Data subject have a right to instruct the data controller to erase the personal data and halt all third parties from processing the data.
4. Data Portability: Data subjects under GDPR will have the right to receive the personal data concerning them in the previously provided format and transmit them to the other controller.
5. Privacy by Design: It’s becoming part of legal obligation under GDPR to have privacy by design for the inclusion of data protection from the onset of the designing of systems rather than addition. The controller should implement appropriate technical and organizational measure to meet the regulation and protect the data.
For more information on GDPR affecting data and cloud security download our whitepaper.