Organisations need to become compliant with the General Data Protection Regulation (GDPR) by 25 May 2018. Here are 7 top-level changes that will directly affect how you handle data:
- Even if your business is not in the EU, you will still have to comply with the Regulation if you handle personal data of EU residents.
- The definition of personal data is now broader, encompassing factors such as an individual’s mental, economic, cultural and social identity.
- You must provide clear and affirmative consent to the processing of personal data and consent will be necessary to process children’s data.
- A data protection officer (DPO) will be mandatory for certain companies.
- You must perform a data protection impact assessment before undertaking higher-risk data processing activities.
- You will have 72 hours to report a data breach.
- Data subjects have the ‘right to be forgotten’.
Must-have GDPR implementation guidance
New to the market, EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide details exactly what you need to do to comply with the GDPR. It covers:
- the GDPR in terms you can understand;
- how to set out the obligations of data controllers and processors;
- what to do with international data transfers;
- understanding data subjects’ rights and consent;
- and much more.
Open your eyes to what’s coming
Help your organisation comply with the GDPR using the EU General Data Protection Regulation (GDPR) Documentation Toolkit.
It contains all the critical documents your organisation will need, including project documents covering data protection policy, DPO requirements, privacy impact assessments, incident response and breach reporting.
“I found the templates and guidance documents very useful. Really opened my eyes to what’s coming. Thank you.”
Tracie Robinson
Hi Melanie
I have recently passed the Practitioners course with IT Governance which was equally comprehensive and informative. I have since been in many meetings and have quoted the importance of processing “EU residents” data. I have however been alerted by a UK barrister that the law at no point mentions “resident” or “citizen ” throughout the 99 Articles, only “Data Subjects” within the EU union. This being the case, everybody of any nationality should have their personal data protected if they are on EU soil, and therefore an even bigger issue for organisations.
Yes, this is indeed true, and you can find this fact supported by the recitals. Whilst the recitals have no independent legal value, they do often provide further detail and context. In case, look at recital (14) “The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data”.
This means if there is a breach of data from an EU based controller or processor and it includes personal data of non EU citizens they may indeed be able to exercise their rights with the relevant supervisory authority.
Now, this is a good reason for an organisation to identify and understand the risks associated with processing personal data. In this case, mapping out what personal information is collected, where it is stored, etc. A good Data Protection Impact Assessment (DPIA) should help identify such issues and the associated risk mitigation.
ITG has a toolkit which includes a DPIA template which will help organisations identify such risks.
How do you deal with the fact that the UK has not consulted on its implementation of the GDPR yet and the fact there are 50 Articles where Member States can have limited flexibility to implement its provisions?
You are right there is limited flexibility for member states to make changes but this only applies to a few Articles (e.g. Article 8 Member allows member states to lower the age of consent to 13 years (from the default 16 years); and Article 9 allows member states to introduce further conditions with regards to special category data but this only applies to the processing of genetic, biometric and data concerning health)
A key premise of the regulation is its consistent application across the Union. This is dealt with in part by Article 63 which sets out the Consistency mechanism. In addition, the introduction of the European Data Protection Board (Article 70) has amongst its tasks to monitor and ensure the correct application of the Regulation. Whilst this should mean changes are minimal, it is clear that organisations should review the guidance and codes of practice which are likely to emerge from supervisory bodies over time.
Indeed Andy, you are right – with respects to nationality:
1. EU law applies to the processing of personal data regardless of whether the individuals affected are EU citizens or not
With respects to geography and the relationship to the controller:
2. It is irrelevant if the individual affected is physically present in the EU or not. The trigger for application of the law attaches to the status of the controller and its actions and not to the individuals affected.
The GDPR makes no distinction between nationality or residency status of individuals and whilst there may be no mention of ‘resident’ or ‘citizen’ in the Articles, the 173 Recitals will be extremely important in interpretation, especiallly by the CJEU, and provide the meat on the bones of the articles – recitals 23 & 24 and Article 2 refer to data subjects who “are in the Union”. Recital 141 gives a further hint in respect of the Member State of “habitual residence” in connection with lodging a complaint with a supervisory authority….
This will be something that the UK is going to have to work out when it leaves the EU as the extraterritorial reach will impact on it as a third country which will need to seek adequacy to ensure that transfers of personal data to it can continue; data controllers will then need to look to appoint representatives in a Member State and determine which is their lead supervisory authority as far as the processing of personal data of Data subjects who “are in the Union” are concerned as that will no longer be (just) the ICO. In a perverse twist, UK residents may find, after the split, that their personal data is guaranteed better protection and they have stronger rights if it is processed in the newest EU Member State than processed in the UK itself.
I think we are overly worried about consent, there are situations where we need consent but processing as part of fulfilling a contract does not need consent. The main requirement (the most important) in my view is to provide notice of proposed processing, the Privacy Notice. Sadly the Privacy Notice is set to be burdened with lots of technical jargon about data retention and the conditions for fair processing.