The new EU General Data Protection Regulation (GDPR): what you need to know
From May 2018, the new EU General Data Protection Regulation (GDPR) will apply. We answer the nine most important questions for companies.
1. What is the GDPR about?
The GDPR came into force on 24 May 2016, but will only take effect on 25 May 2018– and this must be strictly observed by companies – the deadline for implementation. In other words, the new rules on the handling of personal data must be closely scrutinised and followed by 25 May 2018 at the latest. Otherwise penalties will apply. Personal data is information about identified or identifiable natural persons, such as name, address, bank details, licence plate number, and in many cases also the IP address.
2. What is the objective of the GDPR?
The regulation has two objectives: on the one hand, it is important to streamline and unify the many national laws as well as the various European directives when revising data protection. On the other hand, it deals with the protection of the persons concerned. In principle, every natural person should himself be able to determine the disclosure, the scope and the associated use of the relevant data.
3. For which companies does the regulation apply?
In principle, it applies for all companies in the EU that process personal data, i.e., employee and customer data. However, the regulation also applies to companies outside the EU who process data from EU citizens in their business. There are only very few exceptions, as even a craftsman’s shop has customer data such as address and account details in the system.
4. What are the most important requirements?
The GDPR states that data may be processed only if there is a legal basis, or if the company has the consent of the subject of such data. This is already required by law. By May 2018, however, the documentation requirement for companies will be extended. Businesses will now have to prove that the data is processed lawfully. Another new point concerns data protection through technological design. This means that from the outset new products must follow the principles of data protection in their design. For example, software must be privacy-friendly by default.
Furthermore, information obligations towards the persons concerned are to be extended, in particular the right to data portability. Businesses need to be able to hand over data to data subjects in a machine-readable, common format to help customers find their way to another business.
Companies continue to require a data-processing contract, which means that they have to approve documents about the persons processing their data (these include contracts for products such as a mobile phone contract). The data subjects, i.e., the persons whose data are processed, can now turn not only to the contractor, i.e., the companies, but also to third parties involved, such as a cloud service.
5. What are the duties of corporate governance?
The upper levels in companies have to organise data protection. A data protection officer is obligatory for ten or more employees, whereby an external person can also assume this task. In addition, management should instruct their departments on how to work with the DPO. Every company needs a processing directory or access to the software where all relevant data processing procedures are listed and they must know who is responsible for this. However, surveys have shown that this is the case in only half of companies so far.
6. Are there any recommendations for companies to prepare for the new legal situation?
The regulators are hesitating and it is likely that they will soon examine what has already been done in the direction of the GDPR. At a minimum, companies should be able to come forward with a plan for implementing the regulation. One should get down to work on this point as soon as possible. The more complex the data processing and the more branches a company has, the longer it will take. It is a big organisational effort for which half a year is not very long.
7. What are the sanctions for non-compliance with the GDPR?
Until now, the penalty limit has been 300,000 Euros. However, the new catalogue provides for up to four percent of annual turnover worldwide. According to the authority, this affects not only the turnover of the individual company but that of the entire group. The penalties can thus quickly run into millions, which aggravates the consequences if caught.
8. What are the disadvantages?
It will entail a lot of extra work for companies: more documentation work, large-scale conversion and more precise consent.
9. Does the GDPR also present some advantages for companies?
Standardisation places all companies in the same legal situation. So far, the legal situation has been very complex for companies with many branches or customers in different countries. The simplification also presents the positive side effect that American and other international companies will now also be guided by it.