Are you aware of the important deadline of 25 May 2018 that is looming? “What deadline is that?”, you may ask. It is the deadline to comply with the EU General Data Protection Regulation (GDPR). (The official name is the ‘REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ‘). It came into effect on 25 May 2016 and provided a two-year transition period to comply with its requirements. It therefore becomes enforceable on 25 May 2018. And that is important because non-compliance with the GDPR can lead to severe penalties of up to 4% of worldwide turnover, or of 20 million EUR, whichever is biggest! In this two-part article, we’ll have a closer look at the GDPR.
So, what is the GDPR? As the name says, it is a EU regulation, which means it becomes directly enforceable and does not require any legislation on a national level. Its primary purpose is to protect the personal data of private citizens and residents, and to give them more control over those personal data. It also wants to simplify and unify the regulatory environment for national and international businesses, by creating one set of rules that applies throughout the EU. (To that end, each member state of the EU must create an independent Supervisor Authority to hear and investigate complaints, sanction administrative offences, etc.; and these Supervising authorities can organize joint operations). The GDPR replaces the 1995 Data Protection Directive, which was conceived before the Internet era, and was hopelessly outdated and not suited to deal with the changes the Internet has brought.
The GDPR has far-reaching effects and is already having an impact on the legal market. To comply with the new regulations, a lot of the existing software that companies are using has to be modified. This is obviously the case for CRM software but also affects, e.g., eDiscovery software, document management software, etc. The GDPR has also led to entire new ranges of services and products, which, given the scope and scale of the GDPR, makes sense. There are apps to test one’s knowledge and compliance or readiness with regard to the GDPR. There are intelligent checklists and other AI solutions that can review the data you are keeping. There already are AI solutions that can review your contracts. There are online reviews and tests, including quite detailed online interviews, as well, to check whether you are complying with the GDPR.
The GDPR also provides new opportunities for lawyers. Some law firms already are assisting their clients by checking whether they are GDPR compliant and by making recommendations if they are not.
So, with the deadline only months away, how well prepared are we for the GDPR? Not very well, it seems. Research by the UK Government revealed that in January 2018, only four months before the GDPR becomes enforceable, less than half of businesses in the UK were aware of the upcoming data protection laws, or of what the new legislation means for how information security is handled. In other words, the majority of UK businesses is not yet in order. The situation is worst for the construction and manufacturing sectors, where only one in four businesses is aware of the GDPR. The finance and insurance sectors are said to have the highest awareness of the legislation.
And what about law firms? Research published three months ago revealed that at the time, three quarters of law firms were still unprepared for the GDPR, potentially opening them up to large penalties.
Let us now have a closer look at the GDPR itself and start with the scope. Question 1: what does it deal with? The regulation applies to ‘personal data’. The European Commission defined ‘personal data’ as ‘any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.’
Question 2: Who does it apply to? The regulation applies if any of the following conditions are met: if the data controller (an organization that collects data from EU residents) or the data processor (an organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU. In other words, the regulation also explicitly applies to organizations based outside the European Union if they collect or process personal data of EU residents. There are exceptions for personal data that are processed within the EU for national security and law enforcement purposes.
Data can only be processed if there is at least one lawful basis to do so. The lawful bases for processing data are:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes. This consent must be explicit for data collected and the purposes data is used for.
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- processing is necessary for compliance with a legal obligation to which the controller is subject.
- processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Anybody processing personal data must keep records of the processing activities. These records must include the purpose of the processing, the categories involved, as well as the envisaged time limits, and must be made available to the Supervising Authority upon request.
The regulation also requires a ‘data protection by design and by default.’ This means that the development of the business processes for products and services must be explicitly designed to take the protection of one’s data into account, and that the default settings must be such to promote optimal protection of personal data. (There are other requirements, like pseudonymisation, etc., which are beyond the scope of this article).
To be continued: in part two of the article, we’ll have a closer look at the digital rights EU residents are granted under the GDPR.