The General Data Protection Regulation (GDPR) is a data protection regulation that was passed by the European Union (EU) Parliament in 2016 and came into effect on 25th May, 2018. It introduces stringent rules on the collection and movement of personal data and enhanced penalties for flouting those rules.
The responsibilities in the GDPR are vested on controllers, defined as the entities which determine the purposes and means of the processing of personal data and processors, defined as entities which process personal data on behalf of controllers. The member states of the EU will designate supervisory authorities to implement the GDPR.
Personal data is defined in the GDPR as any information relating to an person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.
Article 3 of the GDPR provides that the territorial scope expands to entities outside the EU if they are processing the personal data of persons who are in the EU. The GDPR therefore has a global reach despite being passed by the EU Parliament.
The guiding principles on processing of personal data per the GDPR are as follows:
- Data should be collected for specified, explicit and legitimate reasons.
- Data should be processed lawfully, fairly and in a transparent manner.
- Data collected should be adequate and limited to what is necessary for the purpose.
- Data should be accurate and where it is found to be inaccurate, it must be erased or rectified timeously.
- Data should not be stored for longer than is necessary.
- Data should be processed in a manner that ensures appropriate security of the data.
The following are some of the changes that have been introduced by the GDPR:
- Requests for a data subject’s consent should be presented in a clear and intelligible manner using clear and plain language otherwise the grant of consent shall not be binding. The data subject also has the right to withdraw their consent at any time.
- Consent for a data subject below the age of 16 shall be granted by the holder of parental responsibility over the subject and the entity collecting the data shall take reasonable effort to verify that the consent was granted by the holder of such control.
- Data subjects have the right to obtain information on whether their personal data is being processed and if so, they can request access to the data and information such as the purpose of the data, the categories of data, the recipients of such data if it has been disclosed and the right to lodge a complaint with a supervisory authority.
- The data subject has the right to object to the processing of their data for certain purposes for example direct marketing or scientific or historical research.
- The data subject also has the right to obtain erasure of their personal data without undue delay in instances where it has been processed unlawfully, where the subject withdraws consent for such processing and where the data is no longer necessary for the purpose which it was collected (right to be forgotten).
- Controllers are required to implement appropriate measures for ensuring that, by default, only personal data which is necessary for the specific purpose of the processing is collected.
- Controllers shall use only processors that provide sufficient guarantees to meet the requirements of the GDPR. An authorized processor shall not engage another processor without the prior consent of the processor.
- Where there has been a personal data breach which is likely to result in a high risk to the rights and freedoms of natural persons, the controller is required to communicate the breach to the concerned data subject and to notify the relevant supervisory authority.
- Controllers are required to undertake data protection impact assessments before implementing new data protection technologies which are likely to result in a high risk to the rights and freedoms of persons.
- Member states of the EU have the liberty to set the administrative fines based on the breach though the GDPR recommends a maximum of 20 million Euros (approximately US$ 23,300,000) or 4% of the relevant entity’s total worldwide annual turnover of the preceding financial year, whichever is higher.
As a data subject in the EU, you should expect to see renewed requests for your consent and information on updated privacy policies.
As a controller and processor of data in or outside the EU, you should put steps in place to implement the above mentioned changes before continuing your engagement with data subjects in the EU.
Please contact us at Info@cfllegal.com should you require further information.