GDPR Information Sheet
The GDPR and how it affects you
The General Data Protection Regulation (GDPR) is a privacy law due to take effect in the European Union (EU) on May 25, 2018. It contains new rules governing how companies collect, store, and use personal data pertaining to and/or originating from individuals in the European Union and other states within the European Economic Area. This means that it will apply to you if you do any business with individuals located in the European Union or European Economic Area, and you need to be sure your website and other services comply with the GDPR.
A full text of the GDPR can be found at this link: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC
A Guide to the GDPR, including helpful explanations of the provisions of the GDPR, and how to ensure you comply, can also be found at these links:
Some Key Provisions of the GDPR
- The GDPR’s applicability is not restricted to the EU. The GDPR may apply to you even if you are not located in the European Economic Area – the GDPR applies to entities that process or store personal data relating to people living within the EU will need to follow the rules laid down in the GDPR, regardless of whether the entity is located in the EU.
- TheGDPR has more stringent rules regarding consent. When you are obtaining an individual’s consent to process and use their personal information, the language and method you use to obtain consent must be clear, specific, and unambiguous. Additionally, in cases where sensitive personal data is to be collected and processed, explicit consent is required. There are several types of data identified in the GDPR as “special categories” , including among other things, personal data revealing racial or ethnic origin, political opinions, religious beliefs, genetic data, biometric data, and data concerning health or sexual orientation etc…. It is important to be aware that, where personal data are processed for the purposes of direct marketing, the indidvidual must have the right to object to such processing, including profiling to the extent that it is related to such direct marketing, at any time and free of charge. That right should be explicitly brought to the individual's attention and presented clearly and separately from any other information.
- Individuals have much greater rights regarding their personal information under the GDRP. Individuals (or “data subjects”) in the EU have broad rights with respect to the personal data that you may be processing or storing. Some of these include, the right to access, amend/correct, transfer and delete their personal data (they have the “right to be forgotten”). Individuals can also withdraw consent to the processing of personal data at any time.
- Accountability is a major piece of the GDPR. You are responsible for complying with the GDPR and you must be able to demonstrate your compliance. You need to ensure that you adequate documentation showing that you have a lawful basis for processing the data of individuals in the EU. You must maintain appropriate recordkeeping of your data processing activities, and your compliance with the GDPR.
- The GDPR also heightens the importance of data security. You are required to implement appropriate security measures when processing personal. You must notify the individual, as well as authorities, of any data breaches within 72 hours of becoming aware of the breach.
- In some cases you may be required to designate a compliance officer. This will be the case where you are a public authority or body, or if your core activities "consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale".
- The GDPR has an expanded definition of personal data. The GDPR states that: “‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” This casts a much wider net than most similar legislation does in other jurisdictions, so extra care must be taken.
- The GDPR has significant penalties for non-compliance. The GDPR allows for maximum fines up to 4 percent of the annual global turnover of an organization or up to 20 million Euros, whichever is higher. This does not mean that every case of GDPR non-compliance and/or personal data security breaches will result in these huge fines. They are the maximum fines. Actual penalties in these cases will depend on a variety of factors, including the severity of the breach or con-compliance, the manner in which rights have been ignored or compromised, the level of non-compliance (including a consideration of what has been done on the level of staff awareness, risk assessments and steps to be as compliant as possible), and the actual results or impact on the data subject. The point here is that you need to take your responsibilities seriously.
This link is a good resource to better understand the GDPR: https://gdpr-info.eu/
Preparing yourself for GDPR Compliance
The checklists and self-assessment tools provided through the UK Information Commissioner’s Office can be very helpful in understanding and assessing your GDPR compliance: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/. Additionally, the other links provided above offer lots of useful information.
Disclaimer: The information provided here is for general information and discussion purposes only. We are trying to be helpful, but you should not rely upon this information as legal advice. You should obtain your own legal advice from qualified sources (i.e. a lawyer specializing in GDPR Compliance) before relying on this general information.