First of all, for those not in the know, let us remember that GDPR is an acronym for General Data Protection Regulation, and that the word “Regulation” here means something very specific in EU legislation. A European Union (EU) Regulation “is legal act of the EU that becomes immediately enforceable as law in all member states simultaneously”[i]. As opposed to a EU Directive, that needs to be transposed into specific legislation into each of the Union members, a European Union Regulation does not require any translation into the legislation of the member states. It applies to them (and its citizens and the companies that operate on the Union) as soon as it becomes into force, and in fact it overrides all national laws dealing with the same subject matter. Member States may incorporate elements of the Regulation into their national law. They may also expand the scope of the Regulation by clarifying aspects not covered in it. In fact, we do usually see state members to pass legislation in that sense. But the Member states cannot legislate to limit the scope or in contradiction with the Regulation.
So, in colloquial words, a EU Regulation is delicate stuff, a legal act that affects directly the lives of more than 500 million people and indirectly the lives of those who are related to any of the Union members, either by work or trade. Once in force it cannot be circumvented by single individuals, companies or state members, much less avoided. That is why the EU regulations usually take a long time and a great care to be created.
The Regulation that makes the subject of this blog entry, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. It is planned that it overrides the state member’s legislations that flourished after the data protection directive (officially Directive 95/46/EC) which it will replace.
So, how would it affect me in my personal and professional life? Well, for those in the mood of a lengthy and arduous reading, or in need to go down to the nitty gritty detail, both the regulation and the directive can be found here[ii] and here[iii]. Fortunately, someone else did most of the hard job so let us jump into some interesting points, extracted directly from the Regulation itself:
- The Regulation aims to the protection of natural persons regarding the processing of personal data and rules relating to the free movement of personal data. It is a legislation intended to “protect” the rights of the people, so in that sense it contains restrictions and obligations.
- “Personal Data” is a wide concept, that includes “any information relating to an identified or identifiable natural person such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”[iv]. As you can see, it covers many different types of information and as soon as we are collecting information on individuals, it is very likely that it falls into one or several categories mentioned here.
- The Regulation applies if any of the following is true
- if the processing of the data is done in the EU,
- if the data processor or controller is based in the EU
- the data is related to services or goods offerings done in the EU,
- the personal data or behavior collected is happening in the EU
So basically, if you are dealing with personal data of natural persons located in the EU, irrespective if you are offering the goods, processing the data or even being based outside the EU, this Regulation applies to you.
- The Regulation states that the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures like pseudonymizing and encryption (those two are specifically mentioned on the Regulation). They also are required to
- ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- provide the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
Here we enter the field of restrictions and obligations. The Regulation identifies the figures of a “controller” (natural or legal person who defines the purpose and form of the processing of the info) and a “processor” (natural or legal person who processes the data on behalf of the controller). If we had to summarize the Regulation in a few words we could say it regulates the obligations and responsibilities of the processor and the controller.
- In the case of a personal data breach, the controller shall notify the personal data breach to the supervisory authority. When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject too. This is important as communicating data breaches to the authorities and incumbents is not just part of the “best practices” corpus any more: it has become a legal obligation.
- The Regulation also introduces the figure of a Data Protection Officer, whose tasks are mainly to advice, inform and monitor the data controllers and processors and to coordinate and act as the contact point for the supervisory authority.
- And finally, there is a whole chapter on remedies, liability and penalties for which a controller or processor shall be liable. Administrative fines can rise to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. Nation member may articulate how they impose penalties, but the baseline for those is drawn in the Regulation, and are considerably onerous.
There are many more aspects included in the Regulation but these are some of the most important ones. This new legal framework imposes a set of tasks and obligations that, albeit not completely new to organizations, have become unavoidable in the EU space. Organizations and individuals alike need to set or update strategic plans for data protection. Encryption, access control, key management and vaulting and alert systems integration are going to be key in the implementation of these plans and subsequent legislation compliance.
The Regulation comes into force the 25th May 2018.
As a final word let me say that despite all this apparent complexity GDPR seems to be a beneficial regulation, not only to the people whose personal data privacy is intended to be protected, but also for organizations that will play a role in the EU economic arena. It intends to bring coherence to the multiplicity of the national legislations framework and will make easier the life of corporations by clarifying in a single set of rules what in the past was scattered in several different – and sometimes conflicting – national legislations of the state members. So, let us not fight it, but embrace it instead.
This article was written by ignacio. You can contact him at email@example.com