EU GDPR: What is it and how does it work?

Introduction to the EU General Data Protection Regulation (GDPR)

The General Data Protection Regulation aims to offer EU citizens a uniform and harmonised approach towards privacy in the European Union, and seeks to strengthen people’s rights to data protection as set out in Article 8 of the EU Charter of Fundamental Rights. After almost four years of deliberation and debate, the GDPR was finally approved by the EU Parliament on April 14, 2016.

Although the document became valid 20 days after the approval date, the enforcement date was established as May 25, 2018. It might seem like a lot of time to prepare, but the truth is that there are lots of things to be done, due to some important changes.

Regulation vs. directive

One of the first changes, and a fundamental change, from the former data protection framework (EU Data Protection Directive – Directive 95/46/EU) is that, after many debates, the EU Parliament decided that the new privacy framework would be established in the form of a regulation rather than a directive.

Why a regulation? The answer is simple – a regulation is a binding legislative act that is directly applicable to all EU member states, eliminating the need for local legislative acts to be drafted. However, despite the need for local legislation, there are likely to be differences in how the EU GDPR is interpreted and enforced in different member states.

Besides the need for a common privacy framework, by enacting the EU GDPR, the EU is sending a strong message regarding its commitment to protecting the personal data of EU data subjects (a data subject is a living individual to whom personal data relates), and not just from companies operating within the EU.

The extra reach of GDPR

The extraterritorial reach of the GDPR is one of the new features that contribute significantly to the increased level of protection of personal data. What does extraterritorial mean? Probably one of the most important changes, the GDPR will enjoy extended applicability affecting entities not established in the EU. Of course, some conditions must be met for the extraterritoriality to be applicable.

The EU GDPR will apply to the processing of personal data of EU data subjects, regardless of whether the processing activities take place in the EU or not. The EU GDPR is also applicable to entities established outside the EU if they offer goods or services to individuals in the Union, or if they monitor the behavior of individuals in the Union (i.e., profiling activities, tracking individuals’ activities on the internet, etc.).

The key to understanding when EU GDPR is applicable is understanding the meaning of “in the Union.” The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual residence of those individuals is irrelevant. For example, a company based in the EU which is processing the data of Japanese individuals located in Japan will still need to comply with the EU GDPR. Consequently, the Japanese individuals will be benefiting from all rights according to the EU GDPR, even if these rights do not exist in their own nation’s laws.

When the data of EU citizens is processed outside of the EU by companies which are also outside the EU, then this is not considered to be “in the Union”. For example, the EU GDPR will not be applicable for a school which is based in the United States just because there is a possibility that one or several of its students would be EU citizens. In this case the processing does not take place “in the Union,” nor is the individual “in the Union”.

One of the consequences of the extraterritorial reach is that companies not established in the EU must appoint a representative if they process personal data in the Union. That representative must be based in a Member State in which the relevant data subjects are based. Only a limited derogation is permitted where the processing is occasional, does not involve large-scale processing of sensitive personal data, and the purpose and result of the processing is unlikely to be a risk to individuals.

Transfer of personal data across borders

When transferring data, the GDPR imposes strict restrictions on transfers to locations outside of the European Union. This is done in order to ensure the protection of personal data to an adequate level. Data transfers to outside of the EU may be carried out if there is:

• an adequacy decision made by the EU (the EU has determined that a certain country has data protection laws equivalent to those of the EU)
• appropriate safeguards exist (for instance, contracts including the EU model clauses for the transfer of personal data)
• specific derogations (for instance, clear informed consent by the data subject)

Data transfers are a complicated area of the GDPR, especially because the issue of consent is being contested by the EU, and consent is widely used to justify cross-border transfer of personal data. As such, organizations that have historically protected themselves via user consent may find themselves having to rework their data transfer framework or face high penalties.

Keeping personal data secure

The EU GDPR requires companies to keep personal data secure, just as the current directive does. Although this obligation is expressed in general terms, it does give some indications related to the measures that are meant to protect personal data, such as:

• encryption and pseudonymization
• ensuring and maintaining confidentiality, integrity, availability, and resilience of its IT systems
• capability to restore availability and access to personal data in a timely manner
• regularly assisting and testing the effectiveness of security measures deployed to protect the data

The measures mentioned above are just examples – not mandatory – and should only be applied “where appropriate.” So, it is the responsibility of the company to prove that security measures are appropriate.

A good practice in terms of security measures would be the ISO 27001 standard, so companies could use this as a starting point when building their data protection security measures.

Controllers vs. processors

The EU GDPR also imposes new sanctions on data processors. This is a big departure from previous data protection laws, where all obligations were centered around the data controller. Among other things, data processors must now keep records of processing activities. As before, a data processor is an entity (such as a legal person, public authority, agency, or any other body) that processes personal data on behalf of a controller.

New rights for data subjects

In a major update, the EU GDPR introduced new rights for data subjects. These are:

• rights to access, rectification, and portability
• right to object
• rights to erasure and restriction of processing

The most high-profile of these changes is the widely debated “right to be forgotten” (which is now called “right to erasure”). This right to erasure can be triggered in certain, specific situations, including when the data subject withdraws her consent or if there is no longer any justification for the processing of personal data. The data controller must respond “without undue delay” when receiving these requests and must notify all entities with whom it has shared this data. It is clear that for all data subject rights, there is a strict requirement for data controllers to inventory and map the personal data held in order to be able to respond to data subject access requests (in all forms) “without undue delay.”

To have or not to have a DPO

Under the GDPR there is also an obligation for some organizations to appoint a data protection officer, although only in specific instances:

• where the data controller or processor is a public authority
• where the core activities of the data controller or processor is “regular and systematic monitoring of data subjects on a large scale”
• where the data controller or processor carries out large-scale processing of special categories of personal data (such as ethnicity, racial origin, political opinions, religious beliefs, etc.)

Data breaches & security

In addition to introducing new rights for data subjects, the EU GDPR also introduces new rules for data breaches. Compared to the previous directive, the GDPR imposes obligations on both data controllers and data processors. The GDPR also offers guidance and examples to make it easier for organizations to mitigate risk. Among these are:

• pseudonomization of personal data (meaning processing personal data in a way that can no longer be attributed to a specific data subject without the use of additional information)
• the ability to restore the availability of (and access to) personal data in a timely manner following physical or technical incidents
• the ability to ensure confidentiality, integrity and resilience, of processing systems
• adding process to ensure regular testing and evaluation of technical and organizational measures for ensuring the security of processed personal data

Furthermore, organizations now have to meet standards when it comes to breach notifications. Firstly, organizations that have suffered a data breach must now notify the supervisory authority (independent public authority that is established by a member state pursuant to Article 51 of the GDPR) “without undue delay” unless the breach poses no risk to data subjects. If there is a risk to the affected individuals, organizations must also communicate this to the affected data subjects, again “without undue delay.”

Fines and more

Poor handling of data breaches will be punishable by the highest tier of penalties under the GDPR.

Another way for the European Parliament to affirm its commitment to privacy is the new penalties, which are significantly higher than under the previous directive. The penalties can now go as high as 4% of the global turnover of the company found in breach. The logic behind the huge antitrust-like fines is quite simple: higher penalties for non-compliance are seen to produce higher levels of compliance. It will become increasingly difficult for companies to just accept a certain level of risk when dealing with personal data, because the penalties are now through the roof and might bring a company to its knees.

Penalties under the GDPR will fall under two categories in terms of the amount of the fine:

1. Up to 2% of annual worldwide turnover or €10m, whichever is higher, for infringement in cases where there is a:
• failure to report a data breach
• failure to comply with privacy by design principles as set up in Article 25 of the GDPR
• failure to appoint a representative (where the entity is based outside of the EU)
• failure to obtain consent when processing the data of children
• failure to put in place adequate data protection clauses in contracts with processors
• failure to appoint a data protection officer
• failure to maintain written records
2. Up to 4% of the annual worldwide turnover or €20m, whichever is higher, for more serious offenses such as:
• failure to comply with the principles of lawful data processing as set up in the GDPR
• failure to meet the provisions related to personal data transfers outside the EU
• failure to comply with data subject rights

The new sets of penalties are also supplemented by additional powers that are easily accessible to the data protection supervisory authorities, such as issuing warnings of non-compliance, carrying out audits, requiring specific remediation within a specified time frame, ordering erasure of data, and suspending data transfers to a third country.

The impact of the GDPR might be slightly different for organizations operating in jurisdictions like Germany, France, or the Netherlands where data protection legislation is historically strict, and in some cases, even surpassing the exiting directive. GDPR compliance will be reached more easily by companies operating in these domains, as the supervisory authorities in these countries have already worked diligently to protect the rights and freedoms of the individual.

However, for other jurisdictions where data protection authorities “laid dormant” due to the lack of administrative powers and almost insignificant fines, organizations have ignored risks to the rights and freedoms of individuals, knowing that the supervisory authorities did not have the resources or the strength to impose penalties on violators. Processors, in particular, will be impacted in these jurisdictions because, until now, they were never the target of data protection authorities’ investigations.

A step forward . . . ?

Overall, the GDPR is unarguably a necessary step forward in terms of bringing the data protection legal framework into the 21st century, and combined with the enactment of the ePrivacy directive, there has never been a more radical shift in data protection law, perhaps since Louis Brandeis argued that privacy was right, and not a privilege.

In other words, if your organization did not start overhauling its data protection framework already, now would be a good time to start.

Click here to download a free EU GDPR implementation diagram to learn where these three principles fit into the whole project.