General Data Protection Regulation
- In May 2018, the European Union will introduce a new data protection regulation known as the EU General Data Protection Regulation, (GDPR).
The Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, was adopted by the Council and the European Parliament on 27 April 2016. It will be applicable as of 25 May 2018, in all member countries of the European Union, repealing Directive 95/46/CE.
- The General Data Protection Regulation aims to harmonise the objectives and principles of data protection, in order that interpretation by member countries cannot fragment the implementation of data protection in the Union.
The objective is to strengthen people’s rights, to increase companies’ responsibility by developing self-monitoring and to increase the pressure to observe the rules by toughening sanctions.
- The GDPR affects practically all organisations (including private companies and public authorities). Indeed, it applies to all organisations that collect or process personal data concerning European Union residents, i.e. 99% of European organisations as well as a considerable number of organisations outside the E.U. (companies such as major web players).
The key changes concern the following points:
- Enhanced rights for residents of the European Union. The GDPR provides broader rights for individuals from the European Union including deletion, the right to be forgotten, restrictions and the portability of data.
- Compliance obligations. The GDPR requires that organisations implement appropriate policies and security protocols; carry out privacy impact studies; maintain and store a register of processing operations containing detailed records of the processing performed using personal data and obtain written consent from the owners of the data.
- Notification obligations concerning data leakage. The GDPR requires organisations to notify the data protection authorities of any incidents concerning personal data, and in certain circumstances of the nature of the data concerned.
- New requirements concerning personal “profiling”. The GDPR introduces additional obligations for organisations which use profiling techniques or other techniques used for the monitoring of individual behaviour.
- Data localisation. If the organisation wishes to store the personal data outside the European Union, the GDPR allows this subject to the signature of BCR (Binding Corporate Rules).
- Penalties. Under the terms of the GDPR, the penalties applied by the authorities for non-compliance with the obligations can total up to 20 million euros or 4% of a company’s annual global turnover (the higher of the two 2 thresholds). The amount is calculated according to the seriousness of the infraction and the consequences.
- Centralisation. The GDPR provides the central framework for organisations operating in several member states, requiring companies to establish a main supervisory authority for cross-border data matters.
- This is any information concerning a natural person who is identified or identifiable, directly or indirectly, with reference to an identification number or one or several aspects specific to him (name, photograph, e-mail, address, IP address, telephone number, date of birth, etc.).