| Jurisdiction: European Union / Economic Area | Status: Adopted and Enforceable |
History and what it’s about
The General Data Protection Regulation (GDPR) was adopted on April 27, 2016. It became enforceable on May 25, 2018. The GDPR’s purpose is to protect the fundamental rights of individuals in the European Union (EU), and specifically their personal data and privacy rights. To achieve this, it establishes a framework for personal data protection across the European Union.
In other words, the GDPR imposes a data governance framework on organisations that process personal data of Europeans. This aims to protect Europeans against harms that may result from improper treatment of their data. Although the GDPR is about data governance, the law must be complied with in the software used to process data. Compliance thus has a large impact on digital product teams and IT departments.
Who has a role to play in GDPR compliance?
It is important to understand a number of “roles” to be able to reason with the requirements that the GDPR imposes on an organisation. This helps understand the requirements as well as who may require the organisation to comply with those roles. The key roles in the General Data Protection Regulation are:
- Obligation holders
- Data controllers: organizations that collect and process personal data of European citizens, regardless of whether they are located in the EU
- Data processors: third-party service providers handling data on behalf of controllers)
- Supervisory bodies:
- data protection authorities apointed in the EU member states
- the European Data Protection Board (EDPB)
- Rights holders: the individuals who reside in the the EU/EEA (not limited to citizens) and representative organisations
What are the most important obligations?
The GDPR imposes the following key obligations:
- Define one or more clear purposes for the collection and use of personal data beforehand
- Ensure that the processing of data is allowed under one of the accepted legal bases
- Destroy personal data once it is no longer needed to achieve the defined purpose(s)
- Maintain accurate records of the different processing activities undertaken in the organisation
- Assess the potential impact that activities may have on individuals, and perform a structured data protection impact assessment if the activities are seen as higher risk
- Design the processing operations to provide data protection by design and by default
- Implement appropriate technical and organizational measures to protect personal data
- Respect individuals’ rights to access, correct, delete, and port their personal data
- Ensure that data transfered to countries outside the EU/EEA meets specfic conditions
- Inform authorities and affected individuals of relevant incidents within 72 hours
- Appoint a Data Protection Officer if the organisation processes large amounts of personal data
What are the consequences of non-compliance?
A failure to comply with the requirements in the GDPR can have the following consequences:
- Fines of up to €20 million or 4% of annual global turnover, whichever is higher
- Disruptive and invasive investigations by data protection authorities
- Orders to change, suspend or end data processing from data protection authorities and courts
- Potential lawsuits and legal claims from affected individuals or representative groups
- Challenges to succesfully sell or produce products, e.g. protracted sales cycles or entire rejection
- Challenges to deploy sold or procured products, including limitations placed on their use by buyers due to the risk of harms or legal risk in some use cases
- Reputational damage and loss of consumer trust and a risk of user attrition
Where can I find more information?
The official title for the GDPR is: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). You can find more information on the GDPR here:
#EuropeanUnion #EuropeanEconomicArea #GDPR #DataProtection #PrivacyLaw #PersonalData
