Comply with the EU GDPR (European Union General Data Protection Regulation).
Comply with the EU GDPR and ISO 27001 simultaneously.
Privacy Policy, Cookie Policy and Terms & Conditions for websites.
Straightforward, yet detailed explanation of the European Union General Data Protection Regulation.
Free webinars on the EU GDPR delivered by leading experts.
For beginners: Learn the structure of the regulation and steps to become compliant.
For beginners: Learn how to manage a privacy program in your company.
Download free white papers, checklists, templates, and diagrams.
Access the EU GDPR Readiness Assessment Tool and the full text of the EU GDPR.
Talk to our main EU GDPR expert, who is here to assist you in your implementation.
Experienced EU GDPR auditors, trainers, and consultants ready to assist you in your implementation.
We make standards & regulations easy to understand, and simple to implement.
Ask any questions about the implementation, documentation, certification, training, etc.
What is GDPR, and why is everybody talking about it? The General Data Protection Regulation (GDPR) aims to offer EU citizens a uniform and harmonized approach towards privacy in the European Union, and seeks to strengthen people’s rights to data protection as set out in Article 8 of the EU Charter of Fundamental Rights. After almost four years of deliberation and debate, the GDPR was finally approved by the EU Parliament on April 14, 2016.
Although the document became valid 20 days after the approval date, the enforcement date was established as May 25, 2018. It might seem like a lot of time to prepare, but the truth is that there are lots of things to be done, due to some important changes. In this article, you can find GDPR explained.
One of the first changes, and a fundamental change, from the former data protection framework (EU Data Protection Directive – Directive 95/46/EU) is that, after many debates, the EU Parliament decided that the new privacy framework would be established in the form of a regulation rather than a directive.
Why a regulation? The answer is simple – a regulation is a binding legislative act that is directly applicable to all EU member states, eliminating the need for local legislative acts to be drafted. However, despite the need for local legislation, there are likely to be differences in how the EU GDPR is interpreted and enforced in different member states.
Besides the need for a common privacy framework, by enacting the EU GDPR, the EU is sending a strong message regarding its commitment to protecting the personal data of EU data subjects (a data subject is a living individual to whom personal data relates), and not just from companies operating within the EU.
Besides the question what GDPR is, one of the frequently asked questions is where is the EU GDPR applicable? The extraterritorial reach of the GDPR is one of the new features that contribute significantly to the increased level of protection of personal data. What does extraterritorial mean? Probably one of the most important changes, the GDPR will enjoy extended applicability affecting entities not established in the EU. Of course, some conditions must be met for the extraterritoriality to be applicable. The EU GDPR will apply to the processing of personal data of EU data subjects, regardless of whether the processing activities take place in the EU or not. The EU GDPR is also applicable to entities established outside the EU if they offer goods or services to individuals in the Union, or if they monitor the behaviour of individuals in the Union (i.e., profiling activities, tracking individuals’ activities on the internet, etc.).
The key to understanding when EU GDPR is applicable is understanding the meaning of “in the Union.” The EU GDPR will only apply to personal data regarding individuals within the Union, while the nationality or habitual residence of those individuals is irrelevant. For example, a company based in the EU which is processing the data of Japanese individuals located in Japan will still need to comply with the EU GDPR. Consequently, the Japanese individuals will be benefiting from all rights according to the EU GDPR, even if these rights do not exist in their own nation's laws.
When the data of EU citizens is processed outside of the EU by companies which are also outside the EU, then this is not considered to be “in the Union”. For example, the EU GDPR will not be applicable for a school which is based in the United States just because there is a possibility that one or several of its students would be EU citizens. In this case the processing does not take place “in the Union,” nor is the individual “in the Union”.
One of the consequences of the extraterritorial reach is that companies not established in the EU must appoint a representative. That representative must be based in a Member State in which the relevant data subjects are based. Only a limited derogation is permitted where the processing is occasional, does not involve large-scale processing of sensitive personal data, and the purpose and result of the processing is unlikely to be a risk to individuals.
When transferring data, the GDPR imposes strict restrictions on transfers to locations outside of the European Union. This is done in order to ensure the protection of personal data to an adequate level. When may data transfers be carried out to places outside of the EU? As GDPR explains, transfer of data out of the EU may happen if there is:
Data transfers are a complicated area of the GDPR, especially because the issue of consent is being contested by the EU, and consent is widely used to justify cross-border transfer of personal data. As such, organizations that have historically protected themselves via user consent may find themselves having to rework their data transfer framework or face high penalties.
The EU GDPR requires companies to keep personal data secure, just as the current directive does. Although this obligation is expressed in general terms, it does give some indications related to the measures that are meant to protect personal data, such as:
The measures mentioned above are just examples – not mandatory – and should only be applied “where appropriate.” So, it is the responsibility of the company to prove that security measures are appropriate.
A good practice in terms of security measures would be the ISO 27001 standard, so companies could use this as a starting point when building their data protection security measures.
The EU GDPR also imposes new sanctions on data processors. This is a big departure from previous data protection laws, where all obligations were centred around the data controller. For a better understanding of what GDPR is, it’s important to know that, among other things, data processors must now keep records of processing activities.
And who is a data processor? As before, a data processor is an entity (such as a legal person, public authority, agency, or any other body) that processes personal data on behalf of a controller.
In a major update, the EU GDPR introduced new rights for data subjects. These are:
The most high-profile of these changes is the widely debated “right to be forgotten” (which is now called “right to erasure”). This right to erasure can be triggered in certain, specific situations, including when the data subject withdraws her consent or if there is no longer any justification for the processing of personal data.
The data controller must respond “without undue delay” when receiving these requests and must notify all entities with whom it has shared this data. It is clear that for all data subject rights, there is a strict requirement for data controllers to inventory and map the personal data held in order to be able to respond to data subject access requests (in all forms) “without undue delay.”
Under the GDPR there is also an obligation for some organizations to appoint a data protection officer, although only in specific instances:
In addition to introducing new rights for data subjects, the EU GDPR also introduces new rules for data breaches. Compared to the previous directive the GDPR imposes obligations on both data controllers and data processors. The GDPR also offers guidance and examples to make it easier for organizations to mitigate risk. Among these are:
Furthermore, organizations now have to meet standards when it comes to breach notifications. Firstly, organizations that have suffered a data breach must now notify the supervisory authority (independent public authority that is established by a member state pursuant to Article 51 of the GDPR) “without undue delay” unless the breach poses no risk to data subjects. If there is a risk to the affected individuals, organizations must also communicate this to the affected data subjects, again “without undue delay.”
In order to have GPDR explained, it’s extremely important to know that poor handling of data breaches will be punishable by the highest tier of penalties under the GDPR.
Another way for the European Parliament to affirm its commitment to privacy is the new penalties, which are significantly higher than under the previous directive. The penalties can now go as high as 4% of the global turnover of the company found in breach. The logic behind the huge antitrust-like fines is quite simple: higher penalties for non-compliance are seen to produce higher levels of compliance. It will become increasingly difficult for companies to just accept a certain level of risk when dealing with personal data, because the penalties are now through the roof and might bring a company to its knees.
Penalties under the GDPR will fall under two categories in terms of the amount of the fine:
The new sets of penalties are also supplemented by additional powers that are easily accessible to the data protection supervisory authorities, such as issuing warnings of non-compliance, carrying out audits, requiring specific remediation within a specified time frame, ordering erasure of data, and suspending data transfers to a third country.
What about the impact of the GDPR in various jurisdictions? The impact of the GDPR might be slightly different for organizations operating in jurisdictions like Germany, France, or the Netherlands where data protection legislation is historically strict, and in some cases, even surpassing the exiting directive. GDPR compliance will be reached more easily by companies operating in these domains, as the supervisory authorities in these countries have already worked diligently to protect the rights and freedoms of the individual.
However, for other jurisdictions where data protection authorities “laid dormant” due to the lack of administrative powers and almost insignificant fines, organizations have ignored risks to the rights and freedoms of individuals, knowing that the supervisory authorities did not have the resources or the strength to impose penalties on violators. Processors, in particular, will be impacted in these jurisdictions because, until now, they were never the target of data protection authorities’ investigations.
Overall, what is the significance of the GDPR? It is unarguably a necessary step forward in terms of bringing the data protection legal framework into the 21st century, and combined with the enactment of the ePrivacy directive, there has never been a more radical shift in data protection law, perhaps since Louis Brandeis argued that privacy was right, and not a privilege.
In other words, if your organization did not start overhauling its data protection framework already, now would be a good time to start.
To learn more about EU GDPR implementation, please visit our EU GDPR Free download page. You’ll find a host of helpful resources.