What Is The GDPR?
The General Data Protection Regulation (“GDPR”) is a European Union (“EU”) regulation adopted in April, 2016, aimed at strengthening privacy protections for individuals residing in the EU, harmonizing EU states’ data protection laws and creating a standardized mechanism of enforcement. While it does not come into effect until May 25, 2018, its impacts are so overarching and applicability so broad, that organizations are currently scrambling to prepare to meet its mandates in 2017 before they come fully into effect next year. As detailed in this Guide, fines and penalties for failure to comply could cripple a business and compliance is not a simple matter to achieve.
Definition Of Terms
Binding Corporate Rules (BCRS)
Rules within a multinational group of companies that determine how they will transfer personal information to their entities that are in countries that do not ensure an adequate level of protection for personal data. BCRs that the European Commission approves under the European Commission’s EU cooperation procedure provide for the legal transfer of personal data between the entities of such multinational groups.
Data Protection Officer (DPO)
Data Protection Officers ensure that an organization is both aware of and complies with relevant data protection responsibilities. A DPO must be appointed if the core activities of the company involve “systematic monitoring of data subjects on a large scale” or large scale of special categories of data (racial or ethnic origin, political opinions, religious or philosophical beliefs, biometric information, sexual orientation, or data regarding health or sex life). Small-medium enterprises (SMEs) may be exempt from appointing a DPO if certain requirements are met.
Personally Identifying Information (PII)
Information that can be used on its own or together with other information to determine a person’s identity, locate an individual, or contact a particular person. Information that is unique to a person or that can de-anonymize anonymous data can be considered PII.
Data Protection Authorities (DPAS)
National data protection authorities are independent public authorities tasked with overseeing the operation of data protection law within their territory. They have the authority to investigate an organization’s handling of personal data, intervene before processing or transfers of personal information, participate in and bring legal proceedings for privacy violations, and hear grievances of individuals who believe their personal data has been misused.
Why Read This Guide?
This Guide is intended to support a business’s Information Governance (IG) team prepare to meet the firm’s obligations under the GDPR. Some members of the team who are privacy professionals or attorneys may already be very familiar with the GDPR but complying with the GDPR will require a firm to reach into its Information Technology, Records Management and Line of Business functions to make compliance a reality. This Guide is intended as an introduction to the GDPR that the lawyers and privacy specialists as well as the members of the IG team can all understand and use as a project plan for GDPR compliance.
As any lawyer will tell you, a law or regulation is only partially about the words as written; it is only when the law begins to be enforced by regulators and courts that one can truly tell what factors the authorities will consider critical, so we have provided insights from our work with our clients to tell you what they are doing now to prepare for GDPR. If you are outside the norm in your level of preparedness for the GDPR, you are putting your firm at an additional risk.
Finally, if you think you can ignore the GDPR because your company is not incorporated or physically located in the European Union, think again. The GDPR is applicable to any firm which has the PII of any EU citizen and the EU is preparing to enforce the GDPR world wide – particularly against ‘deep pocket’ targets.
Under the GDPR, EU Data Protection Supervisory Authorities will have an array of both investigative
and corrective powers – including the ability to issue warnings of noncompliance, perform audits of
organizations housing EU’s residents’ personal data, demand specific remediation within a specific
time frame, order erasure of certain data, and suspend data transfers to a third country.
In addition, the GDPR grants Supervisory Authorities the ability to issue administrative fines for
noncompliance. Breached organizations will find the fines they face increasing dramatically. From
a theoretical maximum of £500,000 (over $664,000) that the Information Commissioner’s Office (ICO)
can currently levy, penalties will reach an upper limit of £20 million (over $22.4 million) or 4% of annual
global turnover – whichever is greater. The 4% of annual global turnover is the maximum fine that can
be imposed; i.e., for serious infringements in which there was not sufficient consent provided by the
customer to process data.
Decided on a case-by-case basis, these fines will take into consideration a variety of factors including,
but not limited to:
- the nature, gravity and duration of the
- whether the infringement was intentional
- attempts by the controller or processor
to mitigate damage sustained;
- level of responsibility of controller or
processor in terms of the technical
or organizational measures in effect
at the time;
- record of previous breaches/infringements
by the controller or processor;
- demonstrated effort(s) to work with the
Supervisory Authorities to remedy or mitigate
the impact of the breach/infringement;
- the type(s) of data impacted by the breach/
- manner in which the infringement becomes
known to the Supervisory Authorities;
- whether the controller or processor had
previously taken any corrective measures
over the subject matter at issue in the instant
- record demonstrating past compliance to
improve codes of conduct or certified data
privacy mechanisms; and
- other factors such as possible financial
benefits gained/losses avoided directly
or indirectly by the infringement.