EU General Data Protection Regulation

(EU GDPR)

Enforcement Date

25/05/2018

GDPR aims to:

• To provide the ability to citizens and residents of EU to control their personal data
• To simplify the regulatory environment for global corporations by unifying the regulations within the EU

What does it do?

• Controls what can be done with personal information
• Requires that consent is given or there is a good reason to process or store personal information.
• Gives a person a right to know what information is held about them

Extended Territorial Reach

• GDPR is applicable when the data controller or data processor or the data subject (person) resides in the EU
• GDPR also applies to corporations that do not operate in EU but collect or process personal data of EU residents

IMPORTANT TERMS

• ​​Consent must be freely given, specific, informed, unambiguous, as easy to withdraw as to give, and “explicit” for sensitive data
• Requests for consent should be:
  • ​separate from other legal terms
  • presented in clear and plain language
•  The data controller is required to be able to demonstrate that consent was given.

Data can only be processed if there is at least one lawful basis to do so. The lawful basis for processing data are:

• the data subject has given consent to the processing of his or her personal data for one or more specific purposes
• processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
• processing is necessary for compliance with a legal obligation to which the controller is subject
• processing is necessary in order to protect the vital interests of the data subject or of another natural person
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

The following are certain circumstances where data controllers and processors must appoint a Data Protection Officer (DPO) as part of their accountability program:

• processing is carried out by a public authority
• the core activities of the controller or processor consist of processing which, by its nature, scope or purposes, requires regular and systematic monitoring of data subjects on a large scale
• the core activities consist of processing on a large scale of special categories of data

The DPO must possess sufficient expert knowledge in the corresponding specific domain

The GDPR places heavy accountability obligations
on data controllers to demonstrate compliance. The following are the requirements:

• maintain certain documentation
• conduct a data protection impact assessment for more risky processing
• implement data protection by design and by default, eg data minimization, pseudonymisation

• Data protection is required to be incorporated by default in the development of business processes for products and services
• Privacy configurations are at the highest levels by default
• Technical and procedural measures should be designed by the data controller to ensure that the whole processing life cycle complies with the regulation.
• Personal data is only processed when necessary for each specific purpose

• Data Controllers are legally required to notify Supervisory Authority without any undue delay; within 72 hours of realizing the data breach (Article 33)
• Individuals are to be notified if there are negative repercussions determined (Article 34)
• The data processor will have to notify the controller without undue delay after becoming aware of a personal data breach (Article 33)

Sources

• http://www.allenovery.com/SiteCollectionDocuments/Radical%20changes%20to%20European%20data%20protection%20legislation.pdf
• https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
• https://medium.com/@GDPR_alliance/the-general-data-protection-regulation-gdpr-in-a-nutshell-2f02290dbd0d
• https://b-hive.eu/news-full/2017/3/2/the-gdpr-in-a-nutshell-ten-things-you-have-to-be-aware-of