The following FREQUENTLY ASKED QUESTIONS provide general information and is NOT LEGAL ADVICE.
What is the GDPR?
In April 2016, the European Union (EU) enacted the General Data Protection Regulation (GDPR), to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy, and to reshape the way organizations across the region approach data privacy. The EU requires any organization that processes or handles the personal data of EU residents to achieve GDPR compliance by May 25, 2018.
To what companies does the GDPR apply?
The GDPR applies to organizations located outside of the EU if they offer goods or services to, or monitor the behavior of, EU data subjects. It applies to all companies processing and holding the personal data of EU residents, regardless of the company’s location.
What are the penalties for non-compliance?
Organizations can be fined up to 4% of annual global revenue, up to a maximum €20 million fine for breach of the most serious infringements (e.g.not having sufficient customer consent to process data or violating the core of Privacy by Design concepts).
There is a tiered approach to fines: For example, a company can be fined 2% of annual global revenue for not having its records in order, not notifying the supervising authority and data subject about a breach, or not conducting an impact assessment. These rules apply to both controllers and processors -- meaning 'clouds' will not be exempt from GDPR enforcement.
What is "personal data" under the GDPR?
"Personal data" is any information related to a natural person or "data subject," that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.
What is the difference between a data "processor" and a data "controller"?
A controller is the entity that determines the purposes, conditions and means of the processing of personal data; a processor is an entity that processes personal data on behalf of the controller.
What are the GDPR requirements for users' consent?
Unambiguous Consent Always Required. Any terms of service that include long, illegible terms and conditions full of legalese will not comply with minimum GDPR standards. The GDPR requires "unambiguous consent," meaning a request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Explicit Consent Required for Sensitive Personal Data. Explicit consent is required only for processing sensitive personal data, meaning nothing short of “opt in” will suffice.
When must a Data Protection Officer (DPO) be appointed?
DPO appointment is mandatory only for those controllers and processors whose core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offenses.
What regulations apply to DPOs?
Under the GDPR,
- The controller must consider a potential DPO's professional qualities and, in particular, expert knowledge about data protection law and practices
- A DPO may either be a controller's employee or an external service provider
- The controller must provided the DPO with appropriate resources to carry out their tasks and maintain their expert knowledge
- The DPO must report directly to the highest level of the controller's management
- The DPO cannot carry out any other tasks that could result in a conflict of interest.
What notice does the GDPR require in the event of a data breach?
Data breaches that may pose a risk to individuals must be reported to the appropriate DPA within 72 hours and to affected individuals without undue delay.
Under the GDPR, breach notification will be mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals.” This must be done within 72 hours of first becoming aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach
What rights do EU data subjects have under the GDPR?
- Right to Access. Data subjects have the right to obtain from the data controller
- confirmation as to whether or not personal data concerning them is being processed, where, and for what purpose, and
- a copy of the personal data, provided free of charge in an electronic format.
- Right to be Forgotten (aka Data Erasure). A data subject has the right to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data, subject to the following conditions:
- the data are no longer being relevant to original purposes for processing, or
- the data subject has withdrawn consent.
When considering a request for data erasure a controller must compare the subjects' rights with "the public interest in the availability of the data."
What is the GDPR's "privacy by design" requirement?
The GDPR provides: The controller shall...implement appropriate technical and organisational measures...in an effective way...to meet the requirements of this Regulation and protect the rights of data subjects. Controllers can hold and process only the data absolutely necessary for the completion of its duties (data minimization) and must limit access to personal data to only those persons needed to accomplish processing objectives.