General Data Protection Regulation (GDPR) is a regulation, enforceable from 25 May 2018, that is intended to strengthen and unify data protection within the European Union. The GDPR aims to give control back to citizens and residents over their personal data, and to simplify the regulatory environment for international business by unifying the regulation within the EU.
When the regulation takes effect, it will replace the data protection directive (Directive 95/46/EC) of 1995. Unlike a directive, it does not require national governments to pass any enabling legislation, and is therefore directly binding and applicable.
The GDPR extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, making it easier for non-European companies to comply with these regulations. However, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover.
Important terms to consider before reading about the GDPR include:
- Data Subject: An entity whose data is in question.
- Personal Data: Any information related to a Data Subject, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
- Data Controller: An entity that determines the purposes, conditions, and means of the processing of personal data.
- Data Processor: An entity which processes personal data on behalf of the Data Controller.
The new regulation contains the following key changes:
- Increased Territorial Scope: GDPR applies to all companies processing the personal data of data subjects residing in the Union, regardless of the company’s location.
- Penalties: Organizations in breach of GDPR can be fined up to 4% of annual global turnover, or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements, e.g.not having sufficient customer consent to process data, or violating the core of Privacy by Design concepts.
- Consent: Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
- Breach Notification: Breach notification will become mandatory in all member states where a data breach is likely to result in a risk for the rights and freedoms of individuals. This must be done within 72 hours of first having become aware of the breach.
- Right to Access: GDPR provides the right for data subjects to obtain, from the data controller, confirmation as to whether or not personal data concerning them is being processed, where, and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.
- Right to be Forgotten: Also known as Data Erasure. Data subjects have the right to instruct the data controller to erase their personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. Conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. This right requires controllers to compare the subjects’ rights to the public interest in the availability of the data, when considering such requests.
- Data Portability: GDPR provides the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly used and machine readable format’, and have the right to transmit that data to another controller.
- Privacy by Design: Data protection must be included from the onset of designing systems, rather than as an addition. Controllers are to hold and process only the data absolutely necessary for the completion of its duties (data minimization), as well as limit the access to personal data to those needing to act out the processing.
- Data Protection Officers (DPO): Currently, controllers are required to notify their data processing activities with local data processing authorities (DPAs). With GDPR, instead, there will be internal record keeping requirements, and DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale, or of special categories of data or data relating to criminal convictions and offences. The DPO:
- Must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices.
- May be a staff member or an external service provider.
- Must have their contact details provided to the relevant DPA.
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge.
- Must report directly to the highest level of management.
- Must not carry out any other tasks that could results in a conflict of interest.
Parental consent will be required to process the personal data of children under the age of 16 for online services. Member states may legislate for a lower age of consent, but this will not be below the age of 13.
Topics such as data protection may seem overwhelming to some – even within a company’s IT department. But now is as good a time as any to research the very real consequences of ignoring this important aspect of running a business. The more knowledge one has about it, the easier it is to implement. And once a proper foundation has been established, occasional tweaks to adjust to new regulations, such as GDPR, are a much easier task.
With just over 100 days until GDPR becomes enforceable, businesses need to prioritize ensuring that they meet the regulation’s requirements, so that they don’t encounter any obstacles doing business with companies in the European Union later this year. Improving the quality of your company’s data protection, however, should not only be done when new regulations like GDPR come around, but rather whenever possible. This will ensure that your, and your clients’, information is properly stored, distributed, and protected. Not to mention doing so will make your clients feel at ease, and may even attract new business partners. That’s why Relocation Africa holds the safeguarding of its client and business partner data in the highest regard, and is constantly tracking changes in data-related legislation.
For more information about GDPR, and a countdown timer to its enforcement, visit the EU GDPR website here.
For information as to how Relocation Africa can help you with your Mobility, Immigration, Research, and Remuneration needs, email email@example.com, or call us on +27 21 763 4240.