The European Union (EU) introduced its data protection standard 20 years ago through the Data Protection Directive 95/46/EC. Since a Directive allows Member States a margin of flexibility when implementing into national law, Europe ended up with an array of privacy laws. With the increases in security breaches, technology advancements, and globalization over the past 20 years, new challenges have surfaced over the protection of personal data. Therefore, the EU has developed the GDPR.
The announcement to finalize GDPR was made in December 2015, and following a vote by the EU parliament, the GDPR will take effect on May 25, 2018. The intent is to strengthen and unify data protection for individuals within the EU, while controlling the export of personal data outside the EU. Simply, GDPR will give EU citizens control of their personal data. However, the comprehensive legislation surrounding GDPR has made it very hard for organizations across the world, which conducts business within the EU, to adapt and prepare for compliance with GDPR.
Does GDPR apply to your organization? GDPR extends to non-European businesses that offer goods and services to data subjects in the EU and even those non-European businesses that monitor EU data subjects’ behavior, regardless of the non-European business maintaining an office or subsidiary in the EU.
In the event an organization outside the EU targets or monitors consumers’ behavior in the EU, that organization would be subject to GDPR.
A Data Protection Officer (DPO) is highly recommended, however only required, if one of the following exists:
Data collection is being performed by a public body or authority; or
Data collection is being performed by a systematic process on a large scale; or
Subjects to consider when determining “large scale”
Number of data subjects involved
Volume and range of data being processed
Duration and permanence of data processing
Geographical reach of the processing activity
Data collection is being performed and the data collection represents information from special categories of data.
In the event a DPO is not appointed, the decision to not appoint must be documented.
Accountability is placed on data controllers to demonstrate compliance, requiring them to:
Conduct a data protection impact assessment for high-risk processing
Implement data protection by design
Consent must be freely given, specific, informed and unambiguous. Requests for consent should be separate from other terms and be clearly communicated.
Data controllers must notify most data breaches to the data protection authorities (DPA) without delay and where feasible within 72 hours of awareness. Justification must be provided if this time frame is not met, and in some cases, the data controller must also notify the affected data subjects.
Implications of Accountability under GDPR
As GDPR focuses on accountability to organizations with access to personal data, these organizations must prepare to respond to requests from individuals who want to exercise their rights for the processing of their data. If an organization would suffer a data breach under GDPR, the following implications may apply, based upon the severity of the breach:
Organizations must notify the local data protection authority and potentially the owners of the breached records;
Organizations could be fined up to 4% of annual revenue or €20 million Euros, whichever is higher. Other specified infringements would include a fine of up to the higher of 2% of annual revenue or €10 million Euros, whichever is higher;
Reputational damage; and
Loss of business opportunities.
Organizations have to revisit their IT strategies for alignment with GDPR; however, they also need to ensure that they continue to meet their business requirements and any impacts to the business based upon strategic initiatives.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.