In January 2012, the European Commission set out plans for data protection reform across the European Union in order to make Europe "fit for the digital age". Almost four years later, agreement was reached on what that involved and how it will be enforced. GDPR was issued in 2016 and came into force on May 25, 2018 and has effected not only European Area.
The General Data Protection Regulation (EU) 2016/679 ("GDPR") is a regulation in European Union law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It also addresses the export of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Let’s look through the key points of the GDPR:
- "Personal data" means any information relating to an identified or identifiable natural person ("data subject");
- GDPR applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form a filing system;
- GDPR applies to the processing of personal data in the context of activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. The Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or the monitoring of their behavior as far as their behavior takes place within the Union;
- Personal data shall be processed: lawfully, fairy, and in transparent manner in relation to the data subject; in a manner that ensures appropriate security of the personal data;
- Personal data shall be collected: for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- Personal data shall be adequate, relevant and limited to what is necessary in relation to the purpose for which they are processed; accurate and, where necessary, kept up to date; kept no longer than is necessary for the purposes for which they are processed;
- Processing shall be arranged on the grounds of the data subject’s consent or other lawful grounds indicated in Article 6 of the GDPR;
- The consent must be: freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
It's worth paying attention to the rights of the data subject. GDPR has greatly expanded this category. The following rights are provided for data subjects in the GDPR:
- Right to be informed;
- Right of access;
- Right to rectification;
- Right to erasure;
- Right to restrict processing;
- Right to data portability;
- Right to object;
- Right not to be subjected automated individual decision making, including profiling, where the decision will have legal or other significant effects;
- Right to a remedy.
As the GDPR has already came into force most controllers and processors had already taken actions to be in compliant with GDPR. However, a large number of companies outside the Union are still pending the GDPR procedures and wondering if they are regulated by GDPR or not. At first, they have to determine their status under GDPR as a "controller" and/or "processor". In accordance with the GDPR "controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. "Processor" means a natural or legal person, public authority, agency or other body which process personal data on behalf of the controller. Secondly, they have to determine if they are processing the personal data of data subjects who are in the Union. If these requirements are met the following minimum measures must be taken:
- Appointment of a Data Protection Officer who will inform and advise the controller or the processor and the employees who carry out processing of their obligations, monitor compliance with GDPR, cooperate with supervisory authority;
- Development of the consent, which must reflect that it is freely given and the data subject (e.g. client or employee) is "informed". Consent must contain the right to withdraw it at any time;
- Implementation of the appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
- Development of the Codes of Conduct reflecting the data protection policy of the company;
- Development of the agreements which have to be signed between data controllers and data processors, and third parties participating in data processing procedure (outsources);
- Organize staff training.
Companies regulated under GDPR must take measures in short terms as the penalties are pretty substantial: they can result in up 4% of sales up to a maximum of 20 million EUR. To comply with GDPR in short terms companies may outsource the GDPR matters to third parties or educate themselves via different educational programs and obtaining legal advice.