Compliance
European General Data Protection Regulation (GDPR)
European Data Protection Act
European General Data Protection Regulation (GDPR)
The European General Data Protection Regulation (GDPR) is a comprehensive data protection law that came into effect on May 25, 2018. It is designed to harmonize data privacy laws across Europe and to protect and empower all EU citizens’ data privacy, reshaping the way organizations across the region approach data privacy. The GDPR not only applies to organizations located within the EU but also to those outside of the EU if they provide goods or services to, or monitor the behavior of, EU data subjects. The regulation is built around two key principles: the protection of individuals’ personal data and the free movement of such data within the European single market.
Under GDPR, personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. This means organizations must have a lawful basis for processing personal data, such as consent, contractual necessity, or a legitimate interest that is not overridden by the rights and freedoms of the individual. Data subjects are granted significant rights under GDPR, including the right to access their personal data, the right to have inaccuracies corrected, the right to have information erased, the right to data portability, and the right to object to data processing. Furthermore, GDPR introduces the principles of “privacy by design” and “privacy by default,” meaning that data protection measures must be integrated into the development of business processes and systems.
GDPR imposes strict penalties for non-compliance, which can be up to 4% of an organization’s annual global turnover or €20 million (whichever is greater). This has incentivized organizations worldwide to revamp their data handling practices and ensure compliance. The regulation mandates a high level of protection for data transfers outside the EU, ensuring that the level of data protection afforded by the GDPR is not undermined. It also requires organizations to report certain types of data breaches to the relevant supervisory authority, and in some cases to the data subjects affected, within 72 hours of becoming aware of the breach. Overall, the GDPR has significantly impacted global data protection practices and has set a benchmark for privacy and data protection standards worldwide.
Data Protection Impact Assessment
Also known as Privacy Impact Assessments, these are a way to assess the risk that customers face when their information is collected, utilized, and possibly disclosed by a business. The purpose of these appraisals is to find high risk areas that a company is expected to address and resolve.
While it is a good idea for all businesses to run privacy impact assessments and discover any potential weak links, not every company will be required to do so. This rule is mandatory for certain classes of businesses that have “high risk” processing. In fact, there are several GDPR rules that only apply if the company processes information that is thought to pose a “high risk” to the freedoms and rights of the person it pertains to.
Every company will need to examine their own processes and perhaps even consult an expert to determine if they are “high risk.” Common high risk activities include data processing that could result in identify theft, financial loss, or fraud. There are other categories as well, so make sure to contact a GDPR expert if your company is unsure of its standing.
For companies in the high-risk category, mandatory privacy impact assessments may be followed with a meeting with your supervisory authority. This meeting is optional for some organizations, and mandatory for others.
Depending on backlog, the wait for this meeting can extend the deadline of your GDPR compliance project. Therefore it is a good idea to get started on this step as soon as possible.