GDPR Explained In Plain English

What is the GDPR regulation and when did it passed?

The EU General Data Protection Regulation, or GDPR for short, is a sweeping regulation passed in December of 2016 to protect the privacy rights of European citizens and to promote a fair and balanced market. The GDPR replaces the EU Data Protection Directive, which dated back to 1996, and makes a number of changes in the EU regulatory landscape.

Unlike the previous Directive, the GDPR was conceived and passed as a regulation, meaning that it does not require each EU member state to pass legislation to enact it. This will result in a more predictable and unified regulatory environment across the EU.

It articulates the fundamental rights of EU data subjects and the obligations of data controllers to ensure those rights are protected, to ensure the free flow of personal data, and a competitive marketplace.

What are individual rights under GDPR?

The GDPR is concerned with any data that pertains to or can uniquely identify a natural person. This can include: name, address, identification numbers, physical location, payment information, online identifiers such as IP addresses, and sensitive classifications of data, including health information, political views, biometric or genetic information.

It guarantees citizens of the EU specific rights regarding their personal data:

• The right to be informed about what data is being collected and how it is being processed
• The right of access the data an organization holds about them
• The right to rectification or correction of any errors or omissions in the data
• The right to erasure, also known as the right to be forgotten, of any data that is out of date, was processed without legal basis, or is no longer relevant
• The right to restrict processing of data the organization holds about them
• The right to data portability between competing companies to ensure a fair market.
• And the right to object to data processing, profiling and automated decision making.

When did GDPR come into force?

As of May 25, 2018, GDPR is fully enforceable. Any organization found to be non-compliant may be subject to investigation and enforcement actions from EU Data Protection Authorities.

What are the penalties for not complying with GDPR?

Finally, it introduces substantial maximum penalties for non-compliance, including up to €20 million or 4% of the organization’s global revenue from the previous year, whichever is higher.

Who needs to comply with GDPR?

Any organization regardless of where it is located or headquartered is subject to the GDPR if it collects, stores and/or processes the personal data of EU citizens. With its emphasis on privacy and consumer rights, GDPR requires changes in the way many companies conduct business.

The scope applies to any organization collecting, storing or processing data pertaining to natural persons who are citizens of EU member states, regardless of whether the organization is based in the EU or if the EU resident is present in the EU at the time the data is collected or surveilled. Note: The regulation excludes data pertaining to the deceased.

What is a data controller?

Organizations subject to the EU General Data Protection Regulation, or GDPR, fall into two categories. The first category is the Controller. The Regulation defines a controller as an entity that alone or jointly with others determines how and why personal data is processed. Controllers are accountable for ensuring that the rights of the data subjects are enforced and that the data is adequately protected.

What is a data processor?

The second category is the Processor. A processor performs data processing services on behalf of the controller. When transferring data to a processor, the controller is responsible for verifying through contractual agreements and other means that the processor implements technical and organizational measures sufficient to enable the controller to meet its regulatory requirements.

Can I be a data controller and a data processor?

Yes. It’s not uncommon for some organizations such as managed service providers to act as both controllers and processors for different business activities.

GDPR Terminologies

• Competent Supervisory Authority: Regulatory body in an EU Member State responsible for investigating and enforcing GDPR compliance within the Member State. Generally referred to as a Data Protection Authority.
• Controller: The organization that is responsible for determine what data should be collected and how and why it is processed.
• Data Handling and Usage Policy: An internal policy describing data handling, access controls, retention and disposal.
• Data Protection Authority (DPA): See Competent Supervisory Authority.
• Data Protection Impact Assessment (DPIA): An internal assessment that identifies risk a proposed change poses to the rights of EU data subjects.
• Data Protection Officer (DPO): An individual responsible with decision-making authority for an organization’s data processing activities.
• Data Processing Operation: An activity managed by a Controller that includes collection and processing private data for a specific purpose.
• Data Processing Record: A record of an organization’s Data Processing Operations.
• European Commission: An institution of the European Union, responsible for proposing legislation, implementing decisions, upholding EU treaties, and managing the day-to-day business of the EU.
• Member State: A country within the European Union.
• Privacy Impact Assessment (PIA): See Data Protection Impact Assessment.
• Privacy Notice: Data Subject-facing notification of the organization’s privacy policies, data collection and processing activities, complaint process, and contact information for the organization’s privacy team or Data Protection Officer.
• Privacy Policy: The internal policies describing management intent for privacy-related controls.
• Private Data: Data that pertains to a uniquely identifiable natural person.
• Processor: A third party organization that processes private data on behalf of and under direct authority of the Controller.
• Sensitive Data: Private Data that includes that requires additional, specific consent or other legal basis to collect and process, including health and genomic data, sexual or political orientation, biometric authentication data, criminal history, or trade union membership.

10 Steps to GDPR Compliance

Here are the top 10 recommendations that you can use right now to comply with GDPR:

1. Document and publish privacy notices for employees and clients.
2. Identify a high level subject access request to deal with requests from data subjects regarding their data rights.
3. Publish information about how to submit a subject access request and/or update the privacy policies to include this.
4. Design and implement sub-processes in line with data rights set out by GDPR.
5. Design, document, and implement a formal DPIA process.
6. Review contracts and terms of business with third parties.
7. Conduct a data mapping exercise.
8. Create a data register.
9. Review the lawful purpose for processing each dataset/type.
10. Implement an incident register to track and record actions associated with a data breach/ cyber incident.

The plan above should support the creation of a detailed project plan for achieving GDPR compliance. The plan should form significant element of a security and compliance program, as well as being an important artifact to have in hand if requested by a regulator or third party as to the firm’s commitment towards the achievement of GDPR compliance. A key compliance differentiator for businesses will be the ability to demonstrate commitment to eventual compliance.