GENERAL DATA PROTECTION REGULATION
The General Data Protection Regulation (GDPR), agreed upon by the European Parliament and Council in April 2016, will replace the Data Protection Directive 95/46/ec in Spring 2018 as the primary law regulating how companies protect EU citizens’ personal data. Companies that are already in compliance with the Directive must ensure that they are also compliant with the new requirements of the GDPR before it becomes effective on May 25, 2018. Companies that fail to achieve GDPR compliance before the deadline will be subject to stiff penalties and fines.
GDPR requirements apply to each member state of the European Union, aiming to create more consistent protection of consumer and personal data across EU nations. Some of the key privacy and data protection requirements of the GDPR include:
- Requiring the consent of subjects for data processing
- Anonymizing collected data to protect privacy
- Providing data breach notifications
- Safely handling the transfer of data across borders
- Requiring certain companies to appoint a data protection officer to oversee GDPR compliance.
Who are subject to GDPR Compliance?
The purpose of the GDPR is to impose a uniform data security law on all EU members so that each member state no longer needs to write its own data protection laws and laws are consistent across the entire EU. In addition to EU members, it is important to note that any company that markets goods or services to EU residents, regardless of its location, is subject to the regulation. As a result, GDPR will have an impact on data protection requirements globally.
The General Data Protection Regulation establishes eight rights that apply to all users the organization is obligated to respect these rights or face severe penalties. The GDPR allows for steep penalties of up to €20 million or 4% of global annual turnover, whichever is higher, for non-compliance. These rights are as follow –
1. The right to access.
Individuals may request access to their personal data. They may also ask about how their data is used, processed, stored, or transferred to other organizations. You must provide an electronic copy of the personal data, free of charge if requested.
2. The right to be informed.
Individuals must be informed and give free consent (not implied) before gathering and processing their data.
3. The right to data portability.
Individuals may transfer their data from one service provider to another at any time. The transfer must happen in a commonly used and machine-readable format. 4. The right to be forgotten. If users are no longer customers or withdraw their consent to use their personal data, they have the right to have their data deleted.
Exemptions to comply with a data subject request under GDPR:
Data protection principles, data subject rights and controller obligation are not absolute. They can be limited, restricted or lightened by the way of union and the member state law. To be law full, however, the limitation must fulfil the requirements mentioned in Article 23 of EU GDPR are as follows –
Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 and Article 34, as well as Article 5 in so far as its provisions correspond to the rights and obligations provided for in Articles 12 to 22 when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
(a) For the protection of national security refer to both the internal and external security of Member States
(b) For the Defense related matter of Union or Member state.
(c) Public security covers the protection of human life, particularly incases of “natural or manmade disasters’’
(d) The prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
(e) Other important objectives of general public interest of the Union or a Member State, in particular an important economic or financial interest of the Union or a Member State, including monetary, budgetary and taxation matters, public health and social security.
(f) The protection of judicial independence and judicial proceedings.
(g) The prevention, investigation, detection and prosecution of breaches of ethics for regulated professions.
(h) A monitoring, inspection or regulatory function connected, even occasionally, to the exercise of official authority in the cases referred to in points (a) to (e) and (g).
(i) The protection of the data subject or the rights and freedoms of others.
(j) The enforcement of civil law claims.
GDPR Enforcement and Penalties for Non-Compliance
In comparison to the former Data Protection Directive, the GDPR has increased penalties for non-compliance. SAs have more authority than in the previous legislation because the GDPR sets a standard across the EU for all companies that handle EU citizens’ personal data. SAs hold investigative and corrective powers and may issue warnings for non-compliance, perform audits to ensure compliance, require companies to make specified improvements by prescribed deadlines, order data to be erased, and block companies from transferring data to other countries. Data controllers and processors are subject to the SAs’ powers and penalties.
The GDPR also allows SAs to issue larger fines than the Data Protection Directive; fines are determined based on the circumstances of each case and the SA may choose whether to impose their corrective powers with or without fines. For companies that fail to comply with certain GDPR requirements, fines may be up to 2% or 4% of total global annual turnover or €10m or €20m, whichever is greater.