What is GDPR? The General Data Protection Regulation (GDPR) overview

The General Data Protection Regulation or GDPR applies from 25 May 2018. What you definitely should know about the GDPR’s impact – your GDPR overview in questions and answers: from what is the GDPR to what are personal data for the GDPR, when is the GDPR deadline for compliance and what to do when not GDPR compliant in time. 

GDPR

What is the meaning and definition of GDPR?

There is no real GDPR definition. GDPR is short for General Data Protection Regulation.

Technically the General Data Protection Regulation text, as it is published in the journal on EU law and publications, is called “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”.

However, there are several GDPR definitions in the text of the GDPR for the terms it uses. If you are looking for GDPR definitions for terms (under the GDPR) such as processing, consent, controllers and so on, Chapter 1 of the GDPR text offers these definitions in Article 4.

What is the GDPR and why is it here?

The GDPR or General Data Protection Regulation is a set of rules that aim to better protect EU citizens regarding their personal data and give them more control over their data, compared to its predecessor, the Data Protection Directive or Directive 95/46/EC.

The GDPR is designed for a single digital market in which organizations that are processing personal data of EU citizens know what they can do and what they can’t do with personal data. This way the digital economy, in which data are essential, should blossom in an increasingly data-intensive world. The GDPR offers the regulatory framework that is adapted to the reality of today’s digital world, while putting the individual EU citizen in the driver’s seat of his/her personal data.

Pretty much everything we do nowadays is driven by data and personal data are in virtually everything we do: using social media, buying online, opening a bank account, communicating via Skype, filling in forms on a website to receive promotions, getting loyalty cards from our favorite shops, visiting a physician, subscribing for a newsletter, interacting with governments, the list is endless.

Companies have loads of data about us which they process, store, collect, analyze and exchange. Although few companies have all our personal data, the aggregation of our personal data can lead to very deep insights in our personal lives and privacy, with potential abuse as a consequence. The vast amount of personal data is also subject to potential breaches and personal data are often used in ways people have not explicitly agreed to.

In online advertising and social media, for example, a lot of pieces of personal data and so-called personal data identifiers are used to track and target us across many digital platforms and for purposes we haven’t given consent for.

Are the general data protection regulations only valid for EU organizations?

The rules and regulations in the General Data protection Regulation protect the personal data rights of EU citizens and empower the EU citizen to be more in control over what happens with his/her data.

However, GDPR applies to virtually all organizations which process personal data of EU citizens, regardless of where these organizations are located. This is called ‘the extra-territorial applicability of the GDPR’. In other words: organizations outside of the EU must adhere to the EU regulation’s rules when processing personal data of EU citizens (see ‘Article 3 – Territorial Scope‘)

GDPR Territorial scope- subjects controllers and processors - when GDPR applies
GDPR overview of territorial scope, when GDPR applies and what is the GDPR definition of data subjects, data controllers and data processors

Why did the EU replace the Data Protection Directive with the new regulation?

The EU’s Data Protection Directive already existed since 1995. In 1995 people hardly used the Internet. Although there have been additional rules since 1995, the EU felt it was time to replace the Data Protection Directive.

Early 2012 the European Commission said that the EU needed to be more in tune with the digital era in many perspectives, not just personal data. At the same time it also decided the time had come to reform the existing framework of data protection rules for that exact same reason. The Data Protection Directive was key in these existing data protection rules.

Moreover, the Data Protection Directive was a directive and the General Data Protection Regulation is a regulation. On 15 December 2015 the European Parliament, European Council and European Commission reached an agreement on the new data protection rules which would become known as the GDPR and replace the Data Protection Directive.

What is the difference between a regulation and directive and are there more regulations and directives coming regarding personal data and privacy?

In EU law, EU countries must implement directives in their national laws but they have quite some freedom in doing so.

A regulation is binding for all and leaves very little room for national interpretation (and only in areas where regulation allows it). As directives generally are introduced in national laws in rather different ways and the EU wants one regulatory framework that applies to all actors in the digital economy this time a regulation was chosen: the General Data Protection Regulation.

For the same reason the EU is about to replace existing privacy rules, which have really been introduced in national laws in very different ways, by a second regulation that is complementary to the GDPR: the ePrivacy Regulation, which is approved by the EU Parliament but not by the EU Commission yet. However, when you prepare for GDPR you must look at the ePrivacy Regulation too. The General Data Protection Regulation is not the same as the ePrivacy Regulation but the ePrivacy Regulation serves as a special set of rules to be in line with the GDPR, its rules, its applicability, its fines and penalties and its place in the digital economy. In case of conflicts between the General Data Protection Regulation and ePrivacy Regulation (which is still in the final stages of negotiations) in most cases the GDPR will prevail.

On 5 May 2016 there is also a new directive that entered into force and concerns personal data protection. It needs to be transposed by EU member states (as it is a directive and not a regulation) by 6 May 2018. This directive is known as Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. Its aim is to do exactly what its name indicates.

ePrivacy Regulation

What is the difference between the Data Protection Directive and the General Data Protection Regulation?

On top of the fact that one is a directive and the other a regulation as just explained, the main differences are, among others:

  • The previously mentioned extra-territorial scope: the processing of EU citizen personal data, regardless of where the processing happens.
  • A broader definition of personal data with more personal data identifiers, adapted to the current digital age and the higher sensitivity – and thus need for protection – of some data categories.
  • A breach notification duty with clear rules on when and how organizations need to notify the proper authorities and individuals after the detection of a breach whereby personal data are involved.
  • The need to appoint a Data Protection Officer in some instances. Not in all instances as is often believed. This misunderstanding is due to the first drafts of the GDPR text. A Data Protection Officer is only needed in some cases.
  • Higher fines and more significant financial penalties in case an organization has a serious breach and is clearly not in compliance.
  • A clear and vast focus on the duty to obtain consent from the EU citizen or data subject, including the duty to clearly explain the purpose for which consent is given in a simple and clear way and additional rights for data subjects regarding both consent and personal data overall.
  • Privacy by design and data protection by default: not as principles but as legal requirements.

The GDPR graphic below shows some of these main changes.

EU General Data Protection Regulation - summary of some key GDPR changes - attention - read the details
GDPR overview of new regulations in the General Data Protection Regulation as compared to the previes Data Protection Directive

What is GDPR compliance?

GDPR compliance means that an organization adheres to the rules of the GDPR and is capable of meeting the data subject rights and organizational duties which are stipulated in it. When people speak about GDPR compliance they often mean that personal data breach risk protection measures and all the other risks and rules to comply with are perfectly covered.

However, there is no perfect security or protection in the digital age where sometimes hackers even outsmart security companies, hacks are sometimes organized by criminal groups and there are even state-sponsored attacks. With data and technology being so important some countries use technology for cyber warfare.

Moreover, data can never be 200% perfectly protected and there are myriad other reasons why breaches and non-compliance could occur with people being the weakest link. Even if you take all possible precautions one of your workers could make a mistake and, for example, have his laptop stolen.

Therefore, organizations must be able to prove they did and continue to do (also after the date when GDPR applies) everything they can to be as compliant as possible. This includes knowing where personal data sits in the organization, making sure (and being able to prove) that consent is given under the legal conditions foreseen in the GDPR, being able to protect the obtained, processed, stored and – under specific conditions – shared personal data against breaches, abuse and misuse and being able to respond to the requests and rights of data subjects. If any of these abilities are not in place, the fines and penalties can be high.

The very first step towards GDPR compliance is GDPR awareness.

GDPR awareness

What are GDPR fines and penalties?

The GDPR stipulates GDPR fines up to 4 percent of the annual global turnover of an organization or up to 20 million Euros, with the additional stipulation that the highest of both is chosen in Article 83 of Chapter 8.

This does not mean that in case of non-compliance and/or personal data security breaches organizations will have to pay these staggering amounts. They are the maximum fines.

There have already been cases of very high fines in some EU countries with the GDPR in mind, before it actually became enforceable. While it is hard to predict what the GDPR fines and penalties will be in any given case, it is clear that as usual everything will depend on numerous factors such as the severity of the breach or not being compliant, the way in which data subject rights have been ignored or compromised, the level of non-compliance (with undoubtedly a look at what has been done on the level of staff awareness, risk assessments and steps to be as compliant as possible) and what has happened with the personal data.

If they are, for instance, internationally transferred without consent/authorization or access to them by data subjects is systematically refused or simply ignored, maximum GDPR fines are applied.

Although hard to predict the GDPR foresees clear fine mechanisms for various types of breaches and cases of not being GDPR compliant.

The GDPR, for example, doesn’t just stipulate maximum fines also foresees lower fines (10 million euros or two percent of turnover) for several other circumstances in which organizations fail to comply. These include not reporting data breaches in the ways the GDPR foresees or ignoring the privacy by design rules. More about the administrative fines in Article 83.

Additional note: similar fines apply to the coming, previously mentioned EU ePrivacy Regulation.

What is consent under the GDPR?

Consent means that data subjects have clearly given permission for the use of specific personal data with a clear purpose. This means, among others, the end of long and hard to understand policies with the giving of consent and purpose of consent hidden in a language only lawyers understand.

Moreover, there is an additional duty to prove consent was given when asked, data subjects can request access to their personal data and know what they are used for, they can revoke consent and have the right of data erasure (right to be forgotten), there are data portability rights and special protection and consent rules apply for children under the age of 16.

These consent rules and consent in general are essential in the GDPR and they have a major impact on how organizations need to organize themselves to be GDPR compliant. If a data subject has these rights it means organizations need to be able to respond to them and have all the mechanisms in place. Also, when an organization is controlled for GDPR compliance, it needs to be able to prove that consent was given and the several mechanisms to respond to data subject requests within the scope of their rights need to be in place and function. If this isn’t the case fines and penalties are the consequence.

What is a data subject?

A data subject is an identified or identifiable natural person whose personal data need to be protected and get processed in the context of the GDPR.

An identified natural person is one that is singled out and as a natural person clearly identified without the need for further elements or identifiers. An identifiable natural person is not identified yet but can be identified. This can be done in relationship with additional identifiers such as a name and address.

The more personal data and identifiers are combined and aggregated the more substantial the personal data - the GDPR includes several online identifiers as well - learn more about them all here
The more personal data and identifiers are combined and aggregated the more substantial the personal data – the GDPR includes several online identifiers as well – learn more about them all here

The protection of personal data and the GDPR apply to identified and identifiable data subjects and to their personal data as well as all possible identifiers whereby some identifying data are considered very sensitive and are even more protected.

GDPR data protection: the data subject, personal data and identifiers explained

What is personal data and what is sensitive data under the GDPR?

Personal data is any information that relates to a data subject, regardless of whether the data subject is identified in the scope data processing or can be identified.

Personal data include rather common data such as name, email address, place of birth, date of birth, a picture of the data subject and so forth.

Personal data also include other, less obvious data, including data and identifiers that are more typical to the digital economy. This can include an online identifier such as an IP address, location data, behavioral data acquired via modern means such as the Internet of Things (IoT) or face/voice recognition systems, cookies, RFID tags etc. but also data used in relationship with an organization or government such as an identification number.

Finally there is a category of personal data that is considered as sensitive data with additional protection needs and stipulations. These are personal data pertaining to, among others, health and health history, ethnicity, religious or political beliefs, social and cultural identity overall, genetic data and much more.

The GDPR also applies to pseudonymized personal data but not to anonymous data.

The graphic below shows what personal data are for the GDPR, what types of sensitive data exist, what identifiers are and how it all relates with each other.

The GDPR is very stringent about healthcare data - more here
GDRP definitions of data subject, personal data, identifiability and overview of personal data types and identifiers including sensitive data

When do I need a Data Protection Officer?

A Data Protection Officer or DPO in the scope of the GDPR is only needed in case an organization is a public authority (with an exception), has personal data processing activities on a large scale whereby the main scope is to observe data subjects and in organizations processing data of specific categories of data at scale.

A Data Protection Officer has clearly defined duties and needs to be experienced on the level of data protection law and practices and needs to be able to work in an entirely independent way. However, there isn’t an exact ‘job description’ nor a fixed set of rules with regards to the past experience of a DPO. A Data Protection Officer can be appointed and selected in many ways: he or she can be internal to the organization (internal only if there are no conflicts of interests and issues with regards to the ability to work independently) and can even be ‘shared’ by several organizations.

For the exact duties and role, as well as the skillset of the Data Protection Officer click the button below. The infographic summarizes when a Data Protection Officer is required by the GDPR.

GDPR compliance - when do you need a data protection officer and what are the duties tasks and skillsets of the DPO
When does GDPR require a data protection officer and what are the duties tasks and skillsets of the DPO

When does GDPR apply and what is the GDPR deadline for compliance?

The General Data Protection Regulation has been adopted by the EU Council on 8 April 2016 and adopted by the European Parliament on 14 April 2016. The official texts are available since 4 May 2016. Since that data the GDPR text can also be consulted in 24 official languages.

The GDPR already entered into force in fact but it applies as from 25 May 2018. The GDPR deadline for compliance is 25 May 2018 as well.

While the General Data Protection Regulation already entered into force it will apply from 25 May 2018 which means the official GDPR deadline for compliance is also on 25 May 2018
While the General Data Protection Regulation already entered into force, GDPR applies from May 25th, 2018, which means the official GDPR deadline for compliance is also on 25 May 2018

What if an organization is not GDPR compliant by the GDPR compliance deadline?

Unfortunately, despite being officially published two years ahead of the deadline as of end 2017 a large number of organizations is far from close to being compliant with GDPR.

Some expect that efforts are to be stepped up early 2018 when new budgets are available but, even then, getting GDPR compliant by the data the Regulation applies, many will not be ready.

While it is certain that there will be cases of severe fines to set an example it is also certain that organizations need to continue – and in some cases even start – with efforts to get as compliant as possible and to continue doing so after 25 May 2018. Ideally, this starts with a stage of GDPR awareness in a broader plan. As fines and stipulations of the GDPR are related with the risks from the data subject perspective and a focus on particular categories and usages of personal data, among others in industries where many personal data are processes, it is important to start from the viewpoints of risks and have a clear plan of action with documented steps. A risk analysis is key, as is a strategy and staff awareness. The GDPR also starts from the risk and data subject perspective.

The crucial role of GDPR awareness in GDPR compliance
GDPR compliance starts with GDPR awareness

Some organizations prefer to insure themselves but even then working towards compliance is important as you don’t want to be that company that is known to its customers and the world as being totally not GDPR compliant, let alone suffering from a breach with an additional clear lack of understanding of and focus on personal data protection, which is as much about leadership, culture, people, processes and respect as it is about security, information management and other technological ways to work towards compliance.

The GDPR compliance readiness disconnect

What is the GDPR checklist?

A GDPR checklist is a list of things your organization needs to do in order to be GDPR compliant. However, there is no universally valid GDPR checklist which you can also see as a GDPR to do list.

As each organization is different, has different goals and activities, processes different types of personal data and has its’ own ways of working and own processes and challenges, a GDPR checklist is made in collaboration between the cross-departmental team that should make sure that all GDPR risks are listed, all GDPR protection mechanisms are in place and at all times the organization knows where personal data sits and how consent was obtained and the external consultants and advisors which are often needed to become GDPR compliant.

However, what is universal is that all GDPR checklists should include the steps to reach the before mentioned goals. It should include important duties such as GDPR staff awareness training and it also means you have an actionable plan and thus conducted your GDPR homework. Such a GDPR plan is the result of conducting a risk analysis, listing all the GDPR risks with regards to current personal data processing and protection practices against the backdrop of the organization’s duties in the scope of GDPR compliance, knowing what the issues to solve are, listing how they will be tackled and defining the priorities in the different tasks to complete on the GDPR checklist as you can’t do everything at the same time and some risks are higher than others and some types of personal data and data processing activities are more essential than others. Risk should be approached from the data subject risk perspective but you might also want to take into account the GDPR fines and penalties. Along with a GDPR awareness program and a GDPR action plan with a GDPR checklist or ‘to do’ list an organization demonstrates it has taken some steps in the direction of GDPR compliance which is essential.

Where can you find the full GDPR text?

The full GDPR text as published on 4 May 2016 and officially called “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)” is available in 24 languages in PDF and in HTML here.

An English version of the GDPR text is also embedded below. For more information on the GDPR and answers to questions such as when the GDPR applies, what is a data controller, what is a data processer, what is the role of security in GDPR, what is the role of information management and more check out our GDPR guide.

GDPR compliance: strategic business strategy and information management

 

 

 

  • GDPR overview graphics by i-SCOOP
  • GDPR stock images via ShutterStock
    • Top GDPR EU flag image: Shutterstock – Copyright: a_Jarm 
    • GDPR smartphone image: Shutterstock – Copyright: Pe3k 
    • GDPR alarm clock image: Shutterstock – Copyright: Carlos Amarillo 
    • Awareness image: Shutterstock – Copyright: Kunst Bilder