GDPR Data ProtectionThe General Data Protection Regulation (GDPR) was adopted by the EU in April 2016 and replaced the EU Data Protection Directive 95/46/EC.  The GDPR introduces new obligations to data processors and data controllers, including those based outside the EU.  Given that infringement can lead to fines of up to 4% of annual worldwide turnover or €20 million, it is important for companies to assess how the GDPR affects them and be compliant from May 2018 onwards.

The GDPR brings harmonisation across the EU regarding data privacy.  The extraterritorial effect of the GDPR means its scope applies to non-EU data controllers and processors monitoring the behaviour of or offering goods or services to individuals located in the EU.  The Regulation affects many industries, particularly financial services where firms tend to hold large volumes of personal data.

There are many aspects to be considered to ensure full compliance.  For example, there are requirements for explicit consent to be freely given by individuals for their data to be used for specific purposes, as well as the right for individuals to request details of information held and for data to be deleted.  Some organisations need to carry out assessments, ensure effective procedures are in place and designate a Data Protection Officer to meet new accountability requirements.  These, and other aspects, will be reviewed in further detail throughout the site.

Further information on GDPR

The General Data Protection Regulation (GDPR) replaced the EU Data Protection Directive 95/46/EC following agreement of the new framework by the European Commission, the Parliament and the Council.  The Regulation applies to all EU Member States and came into force in May 2018.  The GDPR brings harmonisation by applying the same set of Data Protection rules across the EU.

The GDPR applies to data controllers (who own the customer relationship) and data processors (who handle data on the controller’s behalf) for data relating to EU citizens across all industries.  The Regulation affects organisations within the EU, as well as those located elsewhere with operations within the EU or that have any EU citizens as customers.

As the GDPR introduced a number of obligations, it is important for firms to be aware of the new requirements to be compliant.  The potential fines for infringement are substantial, up to 4% of annual global turnover or €20 million.

The following summarises some of the GDPR requirements:

Firms are required to confirm explicit and unambiguous consent from customers, based on specific purposes for use of their data and for specific periods of time.  Individuals have the right to request a copy of all data that is held on them, including an explanation of how such data is used and if third parties have access.  Individuals may request for their data profile to be passed to another data processor, allowing data portability.  Individuals also have the right to withdraw consent and to request for data that is no longer needed to be deleted.  Compensation can be claimed for any damage suffered by individuals caused by infringement of the GDPR.

Controllers and processors must consider appropriate security measures such as encryption, ongoing confidentiality of data and evaluating the effectiveness of the measures in place.  A new concept of ‘pseudonymization’ has been introduced for security.  This refers to the processing of customer data in a way that the individual cannot be identified without more data.

Notifications of data breaches that are likely to result in a risk for the rights and freedoms of individuals should be sent to the DPA within 72 hours.  In some cases, notification will also need to be sent to the individuals concerned.

International data transfer rules from the Data Protection Directive are maintained in the GDPR.  Personal data can only be transferred outside of the EU to recipients in countries that are considered as having ‘adequate protection’.  The Commission will issue lists of non-adequate third countries.  Personal data may proceed to be transferred to these countries on the basis of data transfer agreements.

Data controllers have accountability obligations, such as needing to maintain certain documentation, carrying out a data protection impact assessment and ensuring effective procedures are in place to handle relevant risks under a risk-based approach.  Controllers must be able to demonstrate their compliance with the GDPR.

Companies that monitor data on a large scale or process sensitive data as a core activity, as well as all public authorities, need to have a Data Protection Officer (DPO).  It is possible to appoint a single DPO for a group of undertakings.

There will be a ‘one-stop shop’ system for companies that are established in multiple EU Member States, allowing one Data Protection Authority (DPA) to take the lead and cooperate with other DPAs.  An independent European Data Protection Board will be established, who will issue guidance for compliance with the GDPR and report to the Commission.

Many firms already have data protection policies and procedures in place.  Firms should review existing policies and procedures to ensure systems are compliant with the GDPR requirements and able to handle client requests like data deletion.