The General Data Protection Regulation (“GDPR”) is a European regulation applicable since May 25, 2018. It replaces the directive 95/46/EC with the aim to strengthen the protection of individuals’ personal information.
What is the purpose of the GDPR?
With the rise of new technologies and the very high volume of data collected every day, it has become very easy for any organisation to track and analyse the behaviour of individuals or to know their past (e.g. via social network profiles, etc.).
The Regulation aims to address the increased risk of disproportionate and/or unauthorised intrusion into the private sphere of individuals.
To do so, it applies the data the protection principles (see here) more strictly, give individuals more control over their data and, organisations processing personal data are more accountable.
When does the GDPR apply?
The GDPR catches processing operations taking place within, and subject to certain conditions, outside the European Union (see here).
Provided the processing operations meets the foregoing conditions, the GDPR applies when a legal or natural person processes personal data.
Concretely, it applies when a person uses data for any purposes (e.g. profiling, monitoring, marketing, HR, etc.) to the extent, it can directly or indirectly identify the individuals concerned.
If this person does so for its purposes, it will be acting as a controller and if it processes data on another person’s behalf, it will be acting as a processor. Depending on their roles each of these parties will bear more or fewer responsibilities (see here for more details about the distinction).
What is personal data?
The GDPR construes personal data very widely. Indeed, personal data are any information enabling to directly or indirectly identify a natural person. It includes pseudonymised data unless the person is definitly no longer identifiable.
We may, therefore, consider that as soon as a controller has enough information to identify an individual, any information it holds about this person (including inferred information) is personal data (e. g. name, eye colour, interests, comments, photos, lifestyle habits, visiting time, emails, history, financial transactions, friends/networks, analysis etc.).
What to do if the GDPR applies?
It all depends on whether the person processing the data is a controller or a processor. In a few words, the controller bears most responsibilities while the processor is subject to an obligation of cooperation and to ensure the security of the data (see controllers and processors‘ obligations and responsibilities under the GDPR).
Their respective obligations aim to apply the data protection principles (i.e. any processing activities must comply with the principles of transparency, fairness, purpose limitation, proportionality, accuracy, security etc. (see here more details)).
What has the GDPR changed?
The GDPR aims to bring a more consistent application of the rules across the European Union and allow for more cooperation between the authorities
Unlike the directive 95/46/EC, the GDPR, as a regulation, applies directly to each Member States without the need to refer to national laws. However, some areas remaining specific to each Member States (e.g. HR, health, freedom of speech etc.), they have enacted a data protection law to fill the gaps, where necessary.
More cooperation between the authorities
The GDPR provides for the creation of the European Data Protection Board (EDPB) bringing together the supervisory authorities of each Member State.
They must cooperate through a consistency mechanism to ensure a uniform application of the Regulation.
Besides, where cross-border processing is concerned, the application of the one-stop-shop system obliges controllers to appoint a lead supervisory authority acting as its main point of contact and allowed to issue sanctions.
GDPR applies outside of the EU
GDPR may apply to Organisations not established within the European Union if they meet some conditions (see “Does GDPR apply to your business?“). The extra-territoriality of the GDPR aims to ensure that the European standards apply to non-EU based organisations processing personal data of individuals in the EU.
Controllers must no longer notify the authorities of their processing activities but in return, they must be able to demonstrate their compliance with the Regulation. It entails new obligations for controllers (see here) and processors (see here). Controllers must, in particular, comply with principles of data protection by the design and by default, conduct data protection impact assessments (DPIAs) when the processing is likely to result in high risks to the rights and freedoms of the data subjects and be prepared to notify the supervisory authority of certain security breaches within 72 hours.
The conditions for valid consent are more restrictive
Consent under the GDPR must be specific, informed, freely given and unambiguous. This latter condition is the novelty and involves a more restrictive approach when it comes to obtaining valid consent (see here for more details about consent).
More transparency and more control of individuals over their data
Controllers must provide more detailed privacy notice (see here) to individuals (e.g. data retention period, means of transfer etc.).
Besides, individuals have strengthened rights over their data (e.g. the right to data portability, the right to erasure/to be forgotten, the right to withdraw consent at anytime etc.) (see here for an individual’s rights’ overview).
The maximum amount of the administrative fines increased from less than €1 million in 2016 to up to either 4% of the offender’s global annual turnover or, 20 million euros, whichever is higher. It should encourage any organisation to take privacy seriously.