Ready. Set. General Data Protection Regulation.

Why Is GDPR Important?

Primarily, GDPR is important because it provides a single set of rules for all EU organisations to adhere to, thus giving businesses a level playing field and making the transfer of data between EU countries quicker and more transparent. It also empowers EU citizens by giving them more control over the ways in which their personal data is used.

Prior to introducing the new GDPR legislations, the European commission found that only 15% of citizens felt that they had complete control over the information that they provided online. With such low trust amongst the general public it is clear that consumer habits will ultimately be affected. Measures to rebuild this confidence, through introduction and proper implementation of GDPR, are expected to increase trade.Thorough implementation of data protection policies and staff education are important, as non-compliance could result in a data breach.

Who Does GDPR Apply To?

The General Data Protection Regulation (GDPR) regulates the way personal data is collected and processed in the European Union (EU). Personal data is defined as any information relating to an identified or identifiable living individual. The GDPR applies to any person or organisation that processes personal data in the EU. Countries outside the EU that process personal data are called “third countries” under the GDPR. They may have their own data protection laws, but they are required to comply with the GDPR in the following circumstances:

• When supplying goods or services to the EU
• When processing data about citizens residing within the EU

Key Aspects of GDPR

Virksomheder skal vænne sig til en ny virkelighed, hvor data indsamlet på enkeltpersoner kun er til låns. Og det i en fart. Så længe disse data er i vores varetægt, skal de håndteres med omhu og integritet, og så snart vi ikke har brug for dem mere, skal de slettes eller anonymises.

Persondataforordningen definerer personoplysninger som; alle informationer der vedrører en identificeret eller identificerbar person. Dette inkluderer online identiteter, så som IP adresser og cookies forudsat, at de kan henføres til individet (data subjektet). De inkluderer også indirekte informationer som; fysiske, mentale, genetiske, økonomiske, kulturelle og sociale identiteter, der kan henføres til individet. Og der skelnes, i forordningen, ikke mellem persondata som del af personens private, offentlige eller erhvervsrelaterede liv.

Minimize the risk of reputational damage and hefty fines

The GDPR introduces large fines for non-compliance, mandatory data breach notification and extended liability for data controllers. In short, it means that any company that collects, processes and stores personal data must ensure that adequate security measures, policies and controls are in place to meet the requirements.

In addition to the obvious reputational impact, there will be significant fines for companies that fail to comply (1). Potential fines of up to EUR 10 million or 2 percent of global turnover for breaches of: registration rules, inadequate security, failure to notify a personal data breach, or failure to conduct an impact assessment (2).

Fines can be up to EUR 20 million or 4 percent of global turnover for breaches related to: the legal basis for processing personal data, lack of consent, violation of data subjects’ rights, or in the case of cross-border data transfers (1).

Some of the most important provisions include:

Increased Documentation Requirements

Companies are required to examine and document what personal data they process, where the data comes from, with whom it may be shared, and on what legal basis the data is stored and processed.

Accountability Principle

The new Accountability Principle (Article 5) requires organisations to implement appropriate technical and organisational security measures in relation to the scope, context and purposes of the processing of personal data. Such measures must be proportionate to the risk presented by the data held and may include:

• Data minimization
• Encryption or pseudonymisation of personal data
• Ongoing integrity, confidentiality and availability of systems
• Timely restoration of availability and access after an incident
• Introduction of regular system evaluation

Data Subject Consent

A central element of the GDPR is obtaining consent. It is expressed as; “Any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to the processing of personal data concerning him or her.

Organisations must be able to document how and when consent was given. Consent does not have to be express. It may be implied by virtue of the individual’s relationship with the company. However, it must be possible to demonstrate that the information collected serves specific, explicit and legitimate purposes.

The data subject must be able to withdraw his or her consent at any time. He or she has the right to be forgotten if the data are no longer necessary for the legitimate purposes for which they were originally collected and, as a result, the data must be erased.

The data subject’s right of access

Part of the extended rights of the data subject outlined in the Regulation concerns the individual’s right to obtain confirmation as to whether personal data concerning him or her are being processed, where they are being processed and for what purposes. Furthermore, the data controller must, at the request of the data subject, provide the data subject with the they provide a copy of the personal data. The provision must be free of charge and in a commonly used format. This change is a significant shift towards data transparency and a strengthening of the data subject's empowerment.

The right to information (information obligation)

The right to information (information obligation) When an organisation collects information about an individual, information about the data controller must be made available to the data subject, including:

1. The identity and contact details of the organisation collecting the data
2. The purpose of collecting the data and how it will be used
3. How long the data will be stored
4. The data subject's right to access, rectify or erase data
5. Whether data is transferred internationally
6. The data subject's right to withdraw consent
7. The data subject's right to lodge a complaint

The regulation requires individuals to have full access to information about how their data is being processed. This information must be provided in a clear and intelligible manner. It also gives individuals the right to make requests and organisations must comply with such requests without undue delay and at the latest within one month of receiving such a request. In cases of unfounded or excessive frequency, small and medium-sized enterprises may charge a fee for providing access.

Right to rectification

Under the Regulation, individuals have the right to have personal data rectified if it is inaccurate or incomplete. If this data has been disclosed to third parties, data controllers must also inform data subjects of the third parties to whom the data has been disclosed, where applicable.

Right to erasure

The right to erasure (also known as the “right to be forgotten”) gives a data subject the right to have their personal data, from a data controller, erased where certain circumstances apply: if the data are no longer necessary for the purpose for which they were processed, if the data subject withdraws consent, if the data have been processed unlawfully, or if erasure is required for compliance with a legal obligation. The right to erasure also extends to parties to whom the controller may have disclosed the personal data. However, it is the responsibility of the controller to balance the data subject’s right against any rights in the public interest.

Automated profiling (“Automated individual decisions”)

The Regulation introduces measures to protect individuals from potentially harmful decisions that do not involve human involvement. As such, individuals have the right not to be subject to decisions based solely on automated processing and which produce legal or other significant consequences for them. Therefore, organizations must ensure that data subjects can; obtain human intervention, express their point of view, obtain an explanation of the decision, and object.

Mandatory notification of data breaches

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals – the new provisions require companies to notify the relevant authorities and the affected users within 72 hours of becoming aware of the breach.

Privacy Impact Assessment

Under the Regulation, organisations must carry out an impact assessment of the intended data processing operations when the processing is likely to result in high privacy risks. If the personal data impact assessment predicts a high inherent risk, the data protection supervisory authority must be consulted before processing commences.

The right to data portability

The GDPR introduces the right to data portability, which means that a data subject has the right to receive personal data concerning him or her that he or she has provided to a data controller and to transmit this data to another data controller. The data controller is obliged to provide the data without hindrance, in a commonly used and machine-readable format.

The right to object

Under the Regulation, a data subject has the right to object to the processing of his or her personal data to a data controller at any time. In practice, this means that the data controller may no longer process the personal data unless the data controller can demonstrate legitimate purposes for the processing that outweigh the interests and rights of the data subject. If personal data are processed for the purpose of direct marketing, the data subject's right to object cannot be contested. It is the responsibility of the data controller, already at the first communication, to make individuals aware of this right. The right must be described clearly and distinctly and separately from all other information.

Protection by Design & Default

This is not a new concept. Organizations are already required to have appropriate technical and organisational measures to protect personal data. However, under the GDPR, organisations must be able to demonstrate that these measures are regularly reviewed and updated. They must also be able to demonstrate that relevant measures are included in the design of their processing procedures, that personal data are processed by default only when necessary to perform a given task (data minimisation), and that access to personal data is limited to those carrying out the processing.

Mandatory Data Protection Officer

Under the GDPR, the appointment of a Data Protection Officer (DPO) will be mandatory for controllers and processors whose core activities involve processing personal data that requires regular and systematic monitoring of data subjects on a large scale or special categories of data (i.e. clinical data, criminal records, etc.). A DPO must have expert knowledge of data protection law and practice, and be sufficiently independent from the organisation.

• A DPO can be an employee or an external service provider
• Contact details must be provided to the relevant authorities
• Must have sufficient resources to carry out their tasks and maintain their expertise
• Must report directly to the highest level of management
• Must not be involved in tasks that may result in a conflict of interest

*Pseudonymization takes the most identifying fields in a database and replaces them with artificial IDs or pseudonyms. For example, a name is replaced with a unique numerical code. The purpose is to make data less identifiable and thus reduce the risk in relation to data sharing and storage. Pseudonymized data is typically used for analysis purposes and data processing.

References:

(1) A Summary of the EU General Data Protection Regulation

(2) Overview of the General Data Protection Regulation (GDPR)

(3) EU Official Journal Issue L 119