The EU GDPR: What to Know About the EU’s General Data Protection Regulation
Posted by: on 13 December 2017 in Compliance
The European General Data Protection Regulation (EU GDPR), the most significant change to data protection in three decades, becomes effective on May 25, 2018. The regulation intends to strengthen individual data and privacy protection for individuals residing within the EU. Additionally, it intends to simplify the regulatory framework for international business by unifying data and privacy regulations. It will replace the Data Protection Directive from 1995.
The Data Protection Directive 95/46/EC of 1995 was the European Union’s answer to the division of privacy regulations across the EU. Its major goals included the harmonisation of data protection laws and the transfer of personal data to “third countries” outside of the Union. Among other measures, it established independent public authorities in each member state in order to supervise the application of this directive and serve as the regulatory body for interactions with businesses and citizens. Overall, the directive stays true to the original recommendation of the Organisation for Economic Co-operation and Development (OECD) and the core concept of privacy as a fundamental human right.
Although the Data Protection Directive was meant to bring together the laws of different member states, it was still a directive, which left some room for interpretation during the transposition into individual national law. This fact, along with today’s rapidly changing data landscape, has led to the necessity for another update to the regulatory environment of the EU. The incoming GDPR is a much larger piece of legislation and, as a directive, it will become immediately enforceable law in all member states.
Regulation vs. Directive
One key feature of this sweeping change is that the EU GDPR is a regulation replacing a directive. Regulations apply directly to each member state in the EU, whereas with a directive, each member state has discretion as to implementation of data protection regulation. Thus, with the regulation implementation, which itself offers stringent data and privacy protection, it can also offer a simplification of regulatory framework across the EU through unification of data and privacy regulations. This will eliminate inconsistencies among local laws and reduce administrative costs and burdens for international businesses when interacting with multiple data and privacy protection authorities.
The GDPR continues enforcement through the supervisory authorities and the courts, with penal and administrative sanctions in addition to civil remedies. However, the GDPR increases administrative penalties up to a maximum of EUR 20 million or 4 percent of the annual revenue of the organisation, depending on the facts and circumstances of the case, according to the International Association of Privacy Professionals.
Newly Expanded Jurisdiction Includes APAC-based Businesses Operating in the EU
A key feature under the regulation is the newly expanded jurisdiction, which could impact businesses based outside the EU. The new regulation also applies to any business that offers goods or services to individuals in the EU or monitors such individuals’ behaviour (such as operators of commercial websites or mobile apps). This is a broad expansion of the requirements that will affect many more organisations across Asia Pacific.
Consent will continue to be a requirement for processing personal data under the GDPR, but it sets forth stricter conditions for consent. As EUDataProtectionLaw.com notes, these conditions are defined as “any freely given specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed.”
New Rights Established
The EU GDPR has also created two new individual privacy rights — “right of erasure” and “right of portability.” The right of erasure, an expansion of the “right to be forgotten,” gives individuals the ability to have their personal data erased upon request, notes the Information Commissioner’s Office (ICO). The right of portability gives individuals the ability to access their own data with greater ease, notes ICO. Upon request, individuals will be able to transfer their personal data from one provider to another. The transfer of such data should promote ease of access among individuals and competition among providers.
Steps to Take Toward Compliance
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
Many businesses haven’t been subject to the EU data and privacy laws before, and many details as to scope and implementation still aren’t clear. However, for all businesses operating in Europe, or offering, selling to or monitoring European individuals, here are steps you can take now in anticipation for next year:
- Review the GDPR in-depth with all available guidance
- Understand the broad scope of personal data under the GDPR
- Create, update or review documentation for personal information and security practices
- Create, update or review documentation for policies and procedures for breaches, incident reports and risk assessments according to GDPR
- Create, update or review any required contract and agreement language
- Determine if using a cloud-based HR or payroll provider would serve your organization’s best interest in mitigating risk of noncompliance with GDPR
HR leaders should also take note of the fact that Chinese citizens living in the EU will be protected by the GDPR, but citizens of the EU who live and work outside of the EU jurisdiction are not protected by these regulations.
Although many organisations have adopted data and privacy measures consistent with the Data Protection Directive, the GDPR contains new protections and expansive measures — for organizations within the EU and beyond — that will require additional compliance measures. Organizations must begin implementing next steps now to prepare for May 2018.
GDPR represents a significant shift in the way personal data is handled, processed and secured. Click here to download IDC executive brief ‘Cloud, Compliance and the Case for HR Transformation to support your HCM Strategy’.