General Data Protection Regulation (GDPR)

In December 2016, the EU Parliament and Council agreed upon the EU General Data Protection Regulation, first proposed in 2012, and as of May 25, 2018, it is in effect.

The GDPR offers a framework for data protection with increased obligations for organizations, and its reach is far and wide. It applies to any organization — no matter where it is located — that intentionally offers goods/services or monitors individuals’ behavior within the EU.

The General Data Protection Regulation (GDPR) standardizes data protection legislation for all EU member nations and significantly impacts businesses. The one certainty of the GDPR is that compliance is a complex, business-wide initiative that spans people, processes, technology, and data.

As per Article 4 of the GDPR, Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data may also include special categories of personal data or criminal conviction and offenses data. These are considered to be more sensitive, and you may only process them in more limited circumstances.

Data controllers and processors whose core activities consist either of processing operations that require regular and systematic monitoring of data subjects on a large scale, or processing on a large scale of special categories of data, are required to appoint a data protection officer (DPO).

Data Protection Officer (DPO): Article 37, 38, and 39 of the GDPR.

1. Right to access: The right of access, commonly referred to as subject access, gives individuals the right to obtain a copy of their personal data as well as other supplementary information. It helps individuals understand how and why you are using their data and check you are doing it lawfully.
2. Right to rectification: Under Article 16 of the GDPR, individuals have the right to have inaccurate personal data rectified.
3. Right to erasure: Under Article 17 of the GDPR, individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten. The right is not absolute and only applies in certain circumstances.
4. Right to restriction of the processing: Article 18 of the GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances. This means that an individual can limit the way that an organization uses its data. This is an alternative to requesting the erasure of their data.
5. Right to data portability: The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used, and machine-readable format. It also gives them the right to request that a controller transmits this data directly to another controller.
6. Right to object: Article 21 of the GDPR gives individuals the right to object to the processing of their personal data. This effectively allows individuals to ask you to stop processing their personal data.
7. Right related to automated individual decision-making: The data subject has the right not to be subject to a decision based solely on automated processing, such as profiling, which uses personal data to make calculated assumptions about individuals.
8. Right to be informed: Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply whenever you process personal data:

• Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
• Contract: the processing is necessary for a contract you have with the individual or because they have asked you to take specific steps before entering into a contract.
• Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
• Vital interests: the processing is necessary to protect someone’s life.
• Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
• Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

According to Article 8 of the GDPR, The GDPR’s default age for consent is 16, although individual member state law may lower the age to no lower than 13. The person with parental responsibility must provide consent for children under the consent age.

Children must receive an age-appropriate privacy notice.

Children’s personal data is subject to heightened security requirements.

The GDPR’s  fines allow data protection authorities across Europe to issue fines of up to:

1. 4% of a company’s global annual turnover
   or
2. €20,000,000

whichever is higher.

Further, EU Member States can impose their own penalties applicable to infringements of the GDPR that are not subject to administrative fines under Article 83, GDPR.