The requirements around this new regulation and who it will apply to

The General Data Protection Regulation or GDPR is the new data protection legislation enacted by the European Union that will come into effect on May 25, 2018.

This is a very important regulation, not only for European residents but for everyone around the world. The main reason is because it is the first privacy and data protection regulation that ensures that individuals rights and freedoms are the top priority.

It also unifies all the different regulations under one rule. The EU data protection directive from 1995 is replaced by the GDPR and all EU members will follow this one regulation instead.

From a business perspective, it becomes more efficient to follow a single set of rules instead of ensuring compliance with 28 different flavours. From an individual perspective, EU residents rights to protect their own personal data are definitely strengthened.

Key requirements

GDPR has operational, technological, and legal requirements in line with the privacy management pillars we have discussed in the past.

The GDPR articles are specific in regards to what is expected of organizations that collect and manage personal data, although there are arguments that some of these articles are up for interpretation.

But in general, the key articles that organizations need to ensure have policies, processes and technology in place for, can be summarized as follows:

  1. Articles 1-4 establish the foundation for the regulation. They establish the objectives of the regulation and the scope of it.
  2. Articles 5-11 focus on the processing of personal data. They set the expectations around what is considered lawful processing, under what circumstances consent is required, what is considered special categories of personal data and what are the requirements to process such categories.
  3. Articles 12-23 define the data subject (i.e. individual EU residents) rights to their personal data. They set the rules around transparency, ease of understanding around processing of personal data, the specific rights that individuals have such as access, deletion, portability, rectification, objection and others.
  4. Articles 24-43 refer to the roles that data controllers and processors must play. These articles include guidelines around responsibilities and where accountability lies. They also determine specific policies and processes to implement such as Data Protection impact assessments (DPIAs), what to do when there is a high-risk DPIA, when a Data Protection Officer (DPO) is required, what should the DPO role look like, how and when to notify the Supervisory Authorities of a breach and the code of conduct to follow.
  5. Articles 44-50 dictate how international data transfers may occur. These articles expect organizations to justify their need to transfer personal data outside of the EU and they are expected to ensure that any international data transfer happens on the basis of adequacy, appropriate safeguards or binding corporate rules.
  6. Articles 51-59 identify the roles and responsibilities of the Supervisory Authorities (SAs), how they will interact with organizations and with each other.
  7. Articles 60-99 are the remainder chapters that discuss how all the different authorities (i.e.. SAs and the European Data Protection Board) will interact, how they will manage warnings, sanctions and penalties for organizations that are not in compliance and specific situations for processing.

Will these regulations apply to you?

If you are a business that is not headquartered in the EU, how will you know whether you need to comply with these regulations? The answer is easy. If you fall under one of these three categories, you will have to comply:

  1. If you have any physical presence in the EU (even if it is a small sales and marketing office).
  2. If you don’t have a physical presence but you offer products or services to EU residents.
  3. If you don’t offer products or services but you monitor EU residents online behaviour.

What happens next?

If you satisfy any of the three criteria described above and you determine that you need to comply, make sure to read  our next instalment where we will discuss how to get started on the path to GDPR compliance. If you cannot wait for the next instalment, make sure to contact us and we will help you take the first step towards compliance.

Go back to the series

Privacy risks going viral

Read Article

You've got... a breach notification?

Read Article

Why we need to embrace a more mature attitude towards our data

Read Article

Privacy interest is evolving... and California is leading

Read Article