By Charlie Cummins – bbmm.ie

In October 2015, the European Union and United States Safe Harbour provisions that many companies relied upon for the transfer of digital information between the United States and the European Union were ruled to be invalid by the European Court of Justice. The European Union General Data Protection Regulation (GDPR) was summarily put in place. The European Union will begin enforcing these regulations as of 25 May 2018

Article Contents

1. European Union General Data Protection Regulation Compliance
2. Penalties for Violating the GDPR
3. Rights and Protections Overview
4. Data Protection Officers Overview

1. European Union General Data Protection Regulation Compliance

Previously, the Data Protection Directive (officially Directive 95/46/EC) was what most organisations followed. The Data Protection Directive dealt with the protection of individuals with regard to the processing and free movement of personal data. This was a European Union directive that was adopted in 1995, and it regulated the processing of personal data within the European Union. Under this directive, personal data was only able to be transferred to countries outside the European Union if that organisation provided an adequate level of protection.

This directive has been repealed and replaced with the European Union General Data Protection Regulation (GDPR). The GDPR is a law which expands on original European Union data laws. The law was enacted 27 April 2016, and will be implemented 25 May 2018.

As the Data Protection Directive was a directive and not a regulation, it did not have full legislative backing. The GDPR is a regulation, and it has the full legislative and legal backing provided by the European Union.

2. Penalties for Violating the GDPR

Failure to comply with the GDPR will result in monetary penalties. There are two levels of fines related to noncompliance. These fines relate to the severity of the violation:

For lesser violations, such as not reporting a data breach in the time specified by the GDPR, the fine will total the greater amount of €10,000,000 or 2% of total global annual turnover.

For more egregious violations, such as disregarding the GDPR’s data processing rules, the fine will total the greater amount of €20,000,000 or 4% of total global annual turnover.

In addition, if an organisation violates multiple rules in the GDPR, the organisation will be fined for only the most egregious violation, and not for each separate violation

3. Rights and Protections Overview

The GDPR was crafted with the data and privacy rights in mind. The regulation’s core tenets reflect this. These protected rights include, but are not limited to:

Consent
Access
Data erasure
Breach notification
Data portability
Privacy by design
Data protection

These rights and protections are expanded upon below.

Individual Consent: With the GDPR, protections for consent were considered paramount. As a result, conditions and qualifications for consent were vastly improved and otherwise strengthened. With the GDPR, consent is impacted as follows:

Organisations must speak and write plainly and are disallowed from using unclear, legally worded, or otherwise illegible terms and conditions.

Requested consent must be provided clearly and must be wholly accessible.

All requests for consent must clearly state the purpose as to the reason for requesting consent.

Consent must be able to be withdrawn as easily as it was given.

Consent is no longer considered as forever and must be reapproved over time.

In emails, unsubscription links must be readily apparent and visible.

The Right to Access: The GDPR provides rights and securities for individuals in regards to access. Specifically, the GDPR does the following:

The GDPR provides individuals with the right to know whether or not data controllers are processing their personal information, as well as the processing location and purpose.

The GDPR requires data controllers to provide a free electronic copy of the individual’s personal data.

The Right to Be Forgotten: Data erasure, known also as the right to be forgotten, entitles individuals to the following rights:

Individuals can request that data controllers permanently erase their personal data.

Individuals can force the stoppage of further dissemination of their personal data.

Individuals can force third parties to halt processing of their personal data.
Data erasure is conditional, however. Conditions include the data no longer being relevant to original purposes for processing or individuals withdrawing consent.

Data Breach Notification: Under the GDPR, notifications on data breaches are mandatory and must be done within 72 hours of an organization first having become aware of the breach. In addition, data processors will also be required to notify affected individuals without delay after first becoming aware of a data breach.

Data Portability : Data portability is the right for an individual to receive their personal data and all associated data in which they are affiliated. This data must be provided in a common and easily readable electronic format. With data portability, individuals have the right to transmit that data as needed.

Privacy by Design: Privacy by design requires data protection as a core feature when designing systems, as opposed to being a later addition. Additionally, controllers can retain and process only the essential data needed for a system or service to function. Privacy by design also installs limits as to who has access to personal data.

4. Data Protection Officers Overview

Data protection officers (DPOs), also known as data privacy officers, are security officials. DPOs are a key requirement for GDPR compliance. While not necessary for all organisations, with the GDPR, these roles are mandatory for any organisation that processes or stores large amounts or personal data. This personal data can deal with an organisation’s employees, an organisation’s customers or providers, or any other individuals covered by the GDPR-at-large.

Officer and Organization Interaction: DPOs primarily audit organizations to ensure compliance, and should be treated as any other auditor. As such, per the GDPR, DPOs require operational independence. This means that organizations may interact with their DPOs in very specific manners. The GDPR requires the following for DPOs:

• DPOs should not receive instruction from or otherwise be pressured in any fashion by an organization.

• DPOs must have an unhindered, immediate, and total authority to investigate organization activities, including those activities at higher levels of organizational management.

• Within an organization, DPOs must not be subject to direct supervisory oversight and must report to the most senior levels of management.

• DPOs must manage their own operational budgets.

• Organizations must provide operational support to the DPO, including any necessary staff, resources, or facilities.

• DPOs should be appointed for a term of two-to-five years (and not set to a short-term contract), with a maximum reappointment term of ten years.

• DPOs may only be dismissed from an organization with the explicit approval of the European Data Protection Supervisor (EDPS), which is itself an entity independent from the organization.

• Officer Duties : The primary duties of the DPO are to ensure that an organization is in compliance with and acting in full faith towards the GDPR. The individual aspects of these duties include the following:

• DPOs must be the point-of-contact for data subjects and be available to inform them on how an organization is utilizing and protecting their personal data, as well as how data subjects can request data erasure.

• DPOs must remain in contact with and work alongside EDPS.

• DPOs must constantly audit an organization and present to the EDPS information on organizational operations that present specific risks or otherwise are most likely to violate GDPR rules.

• DPOs must alert an organization to violations of GDPR rules.

• DPOs must hold an organization accountable when the organization is in violation of GDPR rules.

• DPOs must educate and train an organization and its employees on remaining compliant with the GDPR.

Source: Nik Schultz – SharpSpring

Disclaimer: This document is not legal advice. It is only meant to provide general information on selected aspects of the GDPR. While this document addresses some legal aspects of the GDPR, it is not intended to provide legal advice. It is recommended that you consult your solicitor on how best to comply with the GDPR.