The General Data Protection Regulation or GDPR applies from 25 May 2018. What you definitely should know about the GDPR’s impact – the GDPR overview in questions and answers. From what is the GDPR to what are personal data and is personal data protection for the GDPR, when is the GDPR deadline for compliance, what are the GDPR fines for non-compliance and breaches, and what to do when not GDPR compliant in time.
Table of Contents
- What is the meaning and definition of GDPR?
- What is the GDPR and why is it here?
- Are the general data protection regulations only valid for EU organizations?
- Why did the EU replace the Data Protection Directive with the new regulation?
- What is the difference between a regulation and directive and are there more regulations and directives coming regarding personal data and privacy?
- What is the difference between the Data Protection Directive and the General Data Protection Regulation?
- What are GDPR fines?
- What is a data subject?
- What is personal data and what is sensitive data under the GDPR?
- When do I need a Data Protection Officer?
- What is the GDPR checklist?
What is the meaning and definition of GDPR?
There is no real GDPR definition. GDPR is short for General Data Protection Regulation.
Technically the General Data Protection Regulation text, as it is published in the journal on EU law and publications, is called “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC”.
However, there are several GDPR definitions in the text of the GDPR for the terms it uses. If you are looking for GDPR definitions for terms (under the GDPR) beyond the scope of this GDPR overview, such as personal data processing, consent, controllers and so on, Chapter 1 of the GDPR text offers these definitions in Article 4.
What is the GDPR and why is it here?
The GDPR or General Data Protection Regulation is a set of rules that aim to better protect EU citizens regarding their personal data and give them more control over their data, compared to its predecessor, the Data Protection Directive or Directive 95/46/EC.
The GDPR is designed for a single digital market in which organizations that are processing personal data of EU citizens know what they can do and what they can’t do with personal data. This way the digital economy, in which data are essential, should blossom in an increasingly data-intensive world. The GDPR offers the regulatory framework that is adapted to the reality of today’s digital world, while putting the individual EU citizen in the driver’s seat of his/her personal data.
Pretty much everything we do nowadays is driven by data and personal data are in virtually everything we do: using social media, buying online, opening a bank account, communicating via Skype, filling in forms on a website to receive promotions, getting loyalty cards from our favorite shops, visiting a physician, subscribing for a newsletter, interacting with governments, the list is endless.
Companies, called data controllers, have loads of data about us which they process, store, collect, analyze and exchange. Although few companies have all our personal data, the aggregation of our personal data can lead to very deep insights in our personal lives and privacy, with potential abuse as a consequence. The vast amount of personal data is also subject to potential breaches and personal data are often used in ways people have not explicitly agreed to.
In online advertising and social media, for example, a lot of pieces of personal data and so-called personal data identifiers are used to track and target us across many digital platforms and for purposes we haven’t given consent for or where another legal ground exists for the lawful processing of personal data, other than consent.
Are the general data protection regulations only valid for EU organizations?
The rules and regulations in the General Data protection Regulation protect the personal data rights of EU citizens and empower the EU citizen to be more in control over what happens with his/her data.
However, GDPR applies to virtually all organizations which process personal data of EU citizens, regardless of where these organizations are located. This is called ‘the extra-territorial applicability of the GDPR’. In other words: organizations outside of the EU must adhere to the EU regulation’s rules when processing personal data of EU citizens (see ‘Article 3 – Territorial Scope‘)
Why did the EU replace the Data Protection Directive with the new regulation?
The EU’s Data Protection Directive already existed since 1995. In 1995 people hardly used the Internet. Although there have been additional rules since 1995, the EU felt it was time to replace the Data Protection Directive.
Early 2012 the European Commission said that the EU needed to be more in tune with the digital era in many perspectives, not just personal data. At the same time it also decided the time had come to reform the existing framework of data protection rules for that exact same reason. The Data Protection Directive was key in these existing data protection rules.
Moreover, the Data Protection Directive was a directive and the General Data Protection Regulation is a regulation. On 15 December 2015 the European Parliament, European Council and European Commission reached an agreement on the new data protection rules which would become known as the GDPR and replace the Data Protection Directive.
What is the difference between a regulation and directive and are there more regulations and directives coming regarding personal data and privacy?
In EU law, EU countries must implement directives in their national laws but they have quite some freedom in doing so.
A regulation is binding for all and leaves very little room for national interpretation (and only in areas where regulation allows it). As directives generally are introduced in national laws in rather different ways and the EU wants one regulatory framework that applies to all actors in the digital economy this time a regulation was chosen: the General Data Protection Regulation.
For the same reason the EU is about to replace existing privacy rules, which have really been introduced in national laws in very different ways, by a second regulation that is complementary to the GDPR: the ePrivacy Regulation, which is approved by the EU Parliament but not by the EU Commission yet. However, when you prepare for GDPR you must look at the ePrivacy Regulation too. The General Data Protection Regulation is not the same as the ePrivacy Regulation but the ePrivacy Regulation serves as a special set of rules to be in line with the GDPR, its rules, its applicability, its fines and penalties and its place in the digital economy. In case of conflicts between the General Data Protection Regulation and ePrivacy Regulation (which is still in the final stages of negotiations) in most cases the GDPR will prevail.
On 5 May 2016 there is also a new directive that entered into force and concerns personal data protection. It needs to be transposed by EU member states (as it is a directive and not a regulation) by 6 May 2018. This directive is known as Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. Its aim is to do exactly what its name indicates.ePrivacy Regulation
What is the difference between the Data Protection Directive and the General Data Protection Regulation?
On top of the fact that one is a directive and the other a regulation as just explained, the main differences are, among others:
- The previously mentioned extra-territorial scope: the processing of EU citizen personal data, regardless of where the processing happens.
- A broader definition of personal data with more personal data identifiers, adapted to the current digital age and the higher sensitivity – and thus need for protection – of some data categories.
- A breach notification duty with clear rules on when and how organizations need to notify the proper authorities and individuals after the detection of a breach whereby personal data are involved.
- The need to appoint a Data Protection Officer in some instances. Not in all instances as is often believed. This misunderstanding is due to the first drafts of the GDPR text. A Data Protection Officer is only needed in some cases.
- Higher fines and more significant financial penalties in case an organization has a serious breach and is clearly not in compliance.
- Privacy by design and data protection by default: not as principles but as legal requirements.
The GDPR graphic below shows some of these main changes.
What are GDPR fines?
The GDPR stipulates GDPR fines up to 4 percent of the annual global turnover of an organization or up to 20 million Euros, with the additional stipulation that the highest of both is chosen in Article 83 of Chapter 8.
This does not mean that in case of non-compliance and/or personal data security breaches organizations will have to pay these staggering amounts. They are the maximum fines.
There have already been cases of very high fines in some EU countries with the GDPR in mind, before it actually became enforceable. While it is hard to predict what the GDPR fines and penalties will be in any given case, it is clear that as usual everything will depend on numerous factors such as the severity of the breach or not being compliant, the way in which data subject rights have been ignored or compromised, the level of non-compliance (with undoubtedly a look at what has been done on the level of staff awareness, risk assessments and steps to be as compliant as possible) and what has happened with the personal data.
If they are, for instance, internationally transferred without consent/authorization or access to them by data subjects is systematically refused or simply ignored, maximum GDPR fines are applied.
Although hard to predict the GDPR foresees clear fine mechanisms for various types of breaches and cases of not being GDPR compliant.
The GDPR, for example, doesn’t just stipulate maximum fines also foresees lower fines (10 million euros or two percent of turnover) for several other circumstances in which organizations fail to comply. These include not reporting data breaches in the ways the GDPR foresees or ignoring the privacy by design rules. More about the administrative fines in Article 83. Additional note: similar fines apply to the coming, previously mentioned EU ePrivacy Regulation.
For more on the fines and penalties than offered in this GDPR overview, click the button below.GDPR fines and penalties
What is a data subject?
A data subject is an identified or identifiable natural person whose personal data need to be protected and get processed in the context of the GDPR.
An identified natural person is one that is singled out and as a natural person clearly identified without the need for further elements or identifiers. An identifiable natural person is not identified yet but can be identified. This can be done in relationship with additional identifiers such as a name and address.
The protection of personal data and the GDPR apply to identified and identifiable data subjects and to their personal data as well as all possible identifiers whereby some identifying data are considered very sensitive and are even more protected.GDPR data protection: the data subject, personal data and identifiers explained
What is personal data and what is sensitive data under the GDPR?
Personal data is any information that relates to a data subject, regardless of whether the data subject is identified in the scope data processing or can be identified.
Personal data include rather common data such as name, email address, place of birth, date of birth, a picture of the data subject and so forth.
Personal data also include other, less obvious data, including data and identifiers that are more typical to the digital economy. This can include an online identifier such as an IP address, location data, behavioral data acquired via modern means such as the Internet of Things (IoT) or face/voice recognition systems, cookies, RFID tags etc. but also data used in relationship with an organization or government such as an identification number.
Finally there is a category of personal data that is considered as sensitive data with additional protection needs and stipulations. These are personal data pertaining to, among others, personal health and health history, ethnicity, religious or political beliefs, social and cultural identity overall, genetic data and much more.
The GDPR also applies to pseudonymized personal data but not to anonymous data. Pseudonymization is a technique that is recommended by the GDPR.
The graphic below shows what personal data are for the GDPR, what types of sensitive data exist, what identifiers are and how it all relates with each other.
When do I need a Data Protection Officer?
A Data Protection Officer or DPO in the scope of the GDPR is only needed in case an organization is a public authority (with an exception), has personal data processing activities on a large scale whereby the main scope is to observe data subjects and in organizations processing data of specific categories of data at scale.
A Data Protection Officer has clearly defined duties and needs to be experienced on the level of data protection law and practices and needs to be able to work in an entirely independent way. However, there isn’t an exact ‘job description’ nor a fixed set of rules with regards to the past experience of a DPO. A Data Protection Officer can be appointed and selected in many ways: he or she can be internal to the organization (internal only if there are no conflicts of interests and issues with regards to the ability to work independently) and can even be ‘shared’ by several organizations.
For the exact duties and role, as well as the skillset of the Data Protection Officer click the button below where you find far more than in this GDPR overview. The infographic summarizes when a Data Protection Officer is required by the GDPR.
What is the GDPR checklist?
A GDPR checklist is a list of things your organization needs to do in order to be GDPR compliant. However, there is no universally valid GDPR checklist which you can also see as a GDPR to do list.
As each organization is different, has different goals and activities, processes different types of personal data and has its’ own ways of working and own processes and challenges, a GDPR checklist is made in collaboration between the cross-departmental team that should make sure that all GDPR risks are listed, all GDPR protection mechanisms are in place and at all times the organization knows where personal data sits and how consent was obtained and the external consultants and advisors which are often needed to become GDPR compliant.
However, what is universal is that all GDPR checklists should include the steps to reach the before mentioned goals. It should include important duties such as GDPR staff awareness training and it also means you have an actionable plan and thus conducted your GDPR homework. Such a GDPR plan is the result of conducting a risk analysis, listing all the GDPR risks with regards to current personal data processing and protection practices against the backdrop of the organization’s duties in the scope of GDPR compliance, knowing what the issues to solve are, listing how they will be tackled and defining the priorities in the different tasks to complete on the GDPR checklist as you can’t do everything at the same time and some risks are higher than others and some types of personal data and data processing activities are more essential than others. Risk should be approached from the data subject risk perspective but you might also want to take into account the GDPR fines and penalties. Along with a GDPR awareness program and a GDPR action plan with a GDPR checklist or ‘to do’ list an organization demonstrates it has taken some steps in the direction of GDPR compliance which is essential.