Last year, the General Data Protection Regulation (GDPR) sent organizations across the 28 member countries of the European Union (EU) into a frenzy to comply with a robust set of changes made to data protection laws in Europe. Now that the GDPR is in full force, what will regulators want to see and what do businesses need to know to comply with the regulation? There are various nuances of the GDPR that companies need to know to be regulator-ready.
Does GDPR Apply to Your Business?
Any company that does business in the EU and collects personal data from someone in an EU member state must comply with the GDPR. If a company located outside of the EU stores or processes data collected in the EU from any individual resident in the EU, it also needs to comply with the GDPR. However, the GDPR does not apply to data related to EU citizens while collected and processed outside of the EU.
The rules imposed by the GDPR apply to all member states of the EU. The situation of the U.K. will be interesting to monitor considering the debate around the exit of this country from the EU. In the event of an exit with no agreement between the U.K. and the EU regarding the transition out of the EU, the GDPR will very likely stop applying to the U.K. However, rules similar to the ones contained in the GDPR will continue to govern the protection of data in the U.K. That said, companies should get ready to properly document their transfers of data between the U.K. and the EU or between the U.K. and non-EU countries because if the Brexit is confirmed, the U.K. will become a “third country” compared to the members of the EU.
It Applies to Your Business; Now What?
It is imperative that companies put processes in place to ensure compliance with the GDPR. Previously, European companies had to file their data processing with the relevant Data Protection Authority in their country. With GDPR, companies do not have to do that anymore. The burden of such paperwork has been alleviated; but, in turn, companies are bound by the principle of accountability—which means they must perform their own assessment of readiness with the GDPR.
Understanding the roles and responsibilities between a processor and a controller is critical. A controller is the company that decides to implement a specific personal data processing and selects the tools to be used. A data processor is the company that processes the data on behalf of the controller. Prior to GDPR, in most countries in the EU, the controller would bear most of the compliance responsibilities with existing data protection laws. The processor, on the other hand, would mostly act under the responsibility of the data controller and would only incur potential contractual liability in cases of failure to protect data. GDPR has created separate sets of responsibilities for both the controller and the processor.
If organizations don’t put the proper process in place, they might run into compliance issues. Clear privacy notices or statements will help companies stay in line with the transparency requirement. For example, companies must make individuals aware of what data is being captured.
In some circumstances, companies need to ensure they obtain consent from individuals prior to the processing of their personal data. This consent needs to be freely given and not ambiguous. To that end, individuals should receive clear information about how their data is being collected, how the company is processing it, the purpose of collecting such data, where it is being stored, and who is accessing it. Personal data should not be retained for longer than necessary to achieve the purpose of the processing.
Along with transparency, there are various best practices to keep in mind when operationalizing the GDPR, including solid access control processes; a vendor assessment program to verify that your vendors have privacy policies in place, and that they have implemented the appropriate security measures; and appointment of a data protection officer if that is required based on the nature of your business and the volume of data you process.
A useful resource to get a better knowledge of the GDPR is the website from the European Commission, which outlines the principles of the regulation, rules applicable to the transfer of data to countries located outside of the EU, and the right granted to individuals living in the EU.
Rights of Individuals Under GDPR
Individuals have rights under GDPR that companies need to consider and abide by. Most of these rights were already granted to individuals prior to GDPR, but the enactment of GDPR gave them more emphasis. The rights are as follows:
- Information/access: People have the right to know what data is being collected and for what purposes.
- Rectification: Data must be corrected if it became outdated or was not captured accurately.
- Object: Individuals can object to part of the processing or all of it, such as for marketing purposes.
- Erasure: Individuals have the right to request that their data be removed from a system under specific circumstances.
- Restriction: This is a new right, and it allows temporary restriction of processing an individual’s data under specific circumstances.
- Object to automated decision-making or profiling: This is also a new right under GDPR that allows individuals to request a human intervention in a decision-making process when this process is based on the usage of automation.
- Portability: This is the right to request that the data an individual has provided to a data controller be transferred to another controller in a machine-readable format.
Be Aware to Stay Compliant
Now that GDPR is in force, companies must focus on maintaining ongoing compliance with the requirements of GDPR. They have to make sure they follow the guidance issued by the various supervisory authorities across the EU in order to comply with their overall accountability obligation. Once data has been properly collected, companies must be mindful that this does not mean the data controller has “carte blanche” to process data as it wants. It needs to comply with the business purposes for which it has collected such data and be mindful that it may need consent for a secondary usage of the same data.
Additionally, companies need to ensure that the data collected are securely processed and stored. Personal data breaches should be reported to the supervisory authorities unless they are unlikely to result in a risk to the rights and freedoms of the individuals affected by the breach.
The supervisory authorities across the EU are in charge of enforcing the GDPR, and they have already started to levy fines and launch audit campaigns. Companies should take this seriously and implement strong governance of their processes to sustain ongoing operationalization with the GDPR.
Do you like our content? Join the GPMI community to get free education and articles straight to your inbox!
Cécile Georges is the Chief Privacy Officer (CPO) of ADP. She leads the Global Data Privacy and Governance team, which is part of the Global Compliance organization. The team provides advice and operational guidance to all ADP business units and is responsible for the design and implementation of ADP’s enterprise-wide compliance programs in relation to the protection of personal information.
Prior to ADP, Georges was an attorney working at Gide Loyrette Nouel in Paris. She joined ADP in July 1999 to set up the legal function in France. In July 2006, Georges took on the role as the head of Legal for Europe and was promoted to VP, Assistant General Counsel. In July 2011, her scope was extended to the rest of Employer Services International. Georges relocated to Singapore in 2014 to become the lead lawyer for the Asia-Pacific region. She took the CPO role in December 2016. During her time with ADP, she has consistently focused on developing performance-driven teams that deliver excellent service to the businesses and ADP clients. Most recently, she has been involved in several international and domestic webinars and conferences providing expertise and thought leadership on the operationalization of the European General Data Protection Regulation, Binding Corporate Rules, and Privacy compliance programs. Georges holds a Magistère (Masters) in Information Technology Law and passed the Paris Bar in 1995.