Disclaimer – We are not providing any legal advice or consultation pertaining to GDPR or other compliance issues. Please consult with your legal teams and resources to ensure they are aware of their
obligations under applicable regulations.
GDPR (General Data Protection Regulation) is set to replace the DPD (Data Protection Directive 95/46/EC). It was approved and adopted by the EU Parliament in April 2016 and it becomes applicable and enforceable in all EU Member States on May 25, 2018.
Any organisation dealing with EU individuals must process personal data in compliance with the GDPR.
The aim of GDPR is to harmonise privacy laws across Europe and protect all EU citizens and, as you can probably guess, this imposes new rules on Companies, Government Agencies, Non-Profits and other organisations that offer goods and services to people in the EU, or that collect and analyse data tied to EU residents. GDPR applies regardless of where the data collecting company is located. This means if a company is located outside of the EU but is collecting and analysing data from other companies and individuals within the EU, then GDPR will apply.
GDPR applies to ‘Controllers’ and ‘Processors’. The controller says how and why personal data is processed and the processor acts on the controller’s behalf. The GDPR places specific legal obligations on the processor. They are required to maintain records of personal data and processing activities. There will be significantly more legal liability if you are responsible for a breach, these obligations for processors are a new requirement under the GDPR, however, if you are a controller you are not relieved of obligations. GDPR places further obligations on controllers to ensure that contracts with processors comply. For a data controller, any organisation dealing with EU individuals must process personal data in compliance with the GDPR and must ensure that any third-party data processors have implemented the technical and organisational requirements of the GDPR. Companies that are found to not comply with the new regulation will be subject to significant fines.
The maximum fine can be imposed for the most serious of infringements, e.g. not having sufficient customer consent to process data or violating the core of privacy by design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting an impact assessment.