“Processing” can mean collecting, using, disclosing and retaining personal data. “Personal data” is a broad term and includes any information relating to an identified or identifiable natural person, which person is referred to as the “data subject”. Obvious examples include a person’s date of birth, (email)-address and name, but what is interesting to note is that a combination of data that leads to the identification of a person also qualifies as personal data. The one who decides what happens with what personal data, and for which purposes, is referred to as the data “controller”. The one who processes personal data on behalf of the controller is referred to as the “processor”.
Chances are that this regulation sounds familiar to you, but why does it seem to be such an important topic at the moment, and why may this European regulation be relevant for your organization?
The GDPR will be applicable as from May 25, 2018, and will, from that date, replace the Data Protection Directive 95/46/EC (“Directive”). Where the Directive sets out a goal that all EU countries must achieve, the GDPR is a binding legislative act and must be applied in all EU Member States. The GDPR thus aims to harmonize data privacy laws across Europe, and to protect and empower EU citizens’ right to data privacy.
The GDPR is directly applicable to businesses established within the EU that process personal data. However, even if your company does not have any establishments within the EU, the GDPR may be relevant for your company due to its broad territorial scope. Any organization that actively offers goods or services to residents in the EU, as well as organizations that monitor the behavior of individuals in the EU, fall within the territorial scope of the GDPR. For example: If your headquarters are based outside the EU, but you have a website which actively targets EU customers to buy your products or services, the GDPR will apply to the processing of these customer’s personal data.
Why is the GDPR a boardroom topic?
The most obvious answer is found in the severe sanctions for non-compliance, such as fines as high as EUR 20 million, or 4% of the company’s annual worldwide turnover.
Another reason is the rapidly approaching implementation date. Whilst the GDPR is built on the existing EU framework for privacy regulation, actually implementing the GDPR is nevertheless proving to be rather challenging.
What are the obligations?
The GDPR has introduced new as well as further reaching rights and obligations, including:
- The obligation to maintain an internal record of processing activities: GDPR expressly introduces a legal accountability obligation, which requires controllers to implement appropriate technical and organizational measures to ensure, and be able to demonstrate, compliance with GDPR. Part of fulfilling this obligation is maintaining an internal record of all the processing activities of an organisation, which must include specific details on each processing activity. This should (amongst other information) include the categories of personal data, data subjects and recipients, the purposes, and the retention periods.
- Transparency: Whilst the principle of transparency also exists under the Directive, the list of topics on which data subjects must be informed has certainly been expanded under the GDPR. Amongst other topics, it includes the contact details of the controller, the purpose of, and legal basis for, the processing, whether a transfer of data to a third country will take place and what the safeguards for such transfers are, what the data subjects’ rights are and the retention periods.
- Data subject rights: Whilst many of the data subject rights already exist under the Directive, such as the right to information and the right of access, under the GDPR, they have received a new dimension which implies additional obligations for data controllers. For instance, the right to erasure, also known as the right to be forgotten, now has force of law under the GDPR. New under the GDPR is the right to data portability, which aims to facilitate the transfer of personal data from one controller to another.
- Consent: As is the case under the Directive, the GDPR too considers the consent of a data subject as one of the legal grounds for the processing of personal data, provided consent has been freely given, is specific, informed, and unambiguous. The GDPR however provides for additional specific requirements in order for consent to be a valid legal ground for processing. For instance, where the Directive allowed for implicit consent (a pre-ticked box for example), the GDPR does not. Under the GDPR, consent must be explicit and thus requires a statement or a clear affirmative action.
- Data breach notification obligation: The GDPR introduces a reporting obligation to the data protection authority in the event of a data breach, and in some cases even to the individuals whose personal data are affected. Such notification must take place within 72 hours after the controller became aware of the breach.
About the Authors:
Kim Lucassen is an attorney at law and Partner at Loyens & Loeff, specializing in pharmaceutical law, privacy law, regulated markets and (international) contracts.
Stuart Davies is a UK qualified lawyer and heads Al Tamimi’s Technology, Media & Telecommunications team out of Dubai.