The General Data Protection Regulation (GDPR) is the new EU regulation for the protection of personal data. It strengthens and unifies data protection for individuals in the European Union. As from the 25th of May 2018, this regulation will apply to EU companies, as well as companies established outside the European Union that process data on the activities of EU entities. Non-European companies will also be subject to the regulation if they target EU residents through profiling or offer goods and services to European residents.
This new GDPR represents an evolution of the current EU data legislation. It fills many of the shortcomings of the previous laws, requires that the relevant IT procedures be documented, prescribes risk assessment studies and requests that the supervisory authority and data subjects be notified in case of a data breach.
It is particularly important to understand that the data concerned by the GDPR are those which are personal. This is what we call, in the United States, the Personally Identifiable Information (PII). It’s the data that identifies a particular person. In other words, names, addresses, phone numbers, account numbers, and more recently, e-mail addresses and IP addresses.
We can say that the GDPR legislates by taking common-sense measures. It involves the personal data security, which is similar to what is covered by the American concept of “Privacy by Design”. From the design stage of a system): minimize the collection of personal data, delete those that are no longer useful. Also, it restricts access to these data and secure them throughout their useful life.
What are the new obligations?
Privacy by Design
The concept of Privacy by Design (PBD) has long been a source of inspiration for EU lawmakers. With this new regulation, its principles of minimizing the collection and retention of data and the obligation of agreement of the persons concerned for any treatment are formalized more explicitly.
Data breach notification
In the case of new obligations which were not included in the DPO, undertakings should, in the event of a breach of personal data revealed to them, notify the supervisory authority in 72 hours after detection. Such a violation should also be reported to the person concerned, but only if it gives rise to “a high risk for his rights and freedoms.”
Data Protection Impact Assessments (DPIAs)
When certain personal data must be processed, companies will first have to analyze the risks to the privacy of those concerned that these treatments cover. It is an explicit obligation of the new regulation. A long-standing request under the DPO was right to erasure or forgetting which allows any consumer or user to request the deletion of personal data concerning him. The GDPR extends this right, which now covers all data published on the Web. This refers to the “Right to be forgotten” which is still controversial.
The GDPR provides graduated financial penalties that can be very substantial for infringing companies. The most consequential breaches of the regulations will incur a fine of up to 4% of the company’s overall turnover. This will include breaches of the fundamental principles of the text, especially the respect for privacy from the design of a system. A fine of up to 2% of the overall turnover can be applied if the company does not correctly track all relevant information. Or fails to notify the supervisory authority and the data subject (s), of the detection of an infringement of personal data.
The new extraterritoriality principle of the GDPR means that even when a company is not physically present in the EU, but if it collects personal data relating to EU nationals – for example through of a website – then all the obligations defined by the GDPR apply to it. In other words, this new legislation has a scope beyond the borders of the EU. The most affected non-European companies will be those whose activities include e-commerce and cloud services.
In general, the message sent to the companies concerned by the GDPR is that it is now even more crucial than before to treat personal data with and rigorous care; namely, the permanent knowledge of where the sensitive data are stored, who exploits them and who may have access to these data.