A Complete Guide to GDPR
Behind the acronym of GDPR lies a regulation that has become essential in the age of all-digitality. The GDPR is the legal framework surrounding the sensitive issue of protecting the personal data of European citizens.
This data that each of us provides in ever-increasing quantities, to public or private bodies, through a computer, a smartphone, a tablet – and now through a smart watch, a car, a fridge, a toaster or any other connected object. It was therefore high time to establish a legal framework capable of clarifying and harmonising the use of European citizens’ personal data and giving them the means to dispose of their digital identity – and this need gave rise to the General Data Protection Regulation (GDPR).
What is the GDPR?
GDPR in Shakespeare’s language means “General Data Protection Regulation”. The GDPR is today the reference text for protecting personal data at the level of the European Union.
This set of rules replaces a previous text dating back to 1995, which had some drawbacks – notably because it left too much room for interpretation, was not very restrictive, and the European Union has since changed its face to 28 member countries.
The new regulation, consisting of 99 articles and published in the EU Official Journal on 4 May 2016, this time gives a stricter framework and a date for concrete application. Indeed, all organisations (public or private) based in the European Union, or located outside the EU but managing the personal data of European residents, will have to comply with the GDPR by 25 May 2018.
Who is affected by the GDPR?
Any organization based in an EU country will have to apply the provisions of the GDPR: companies and trade unions, associations, administrations, and local authorities. Including those based outside the EU’s borders that collect, store, and use data specific to residents of a member country. These organizations will have to protect all personal data in their possession. Beyond information about prospects and customers, this also includes data collected about the organization itself, its employees, customers and suppliers, partners…
The GDPR is broad in scope, since all data are concerned, even if the information collected does not allow direct identification of the source. All data that transits on physical media (computers, mobile devices, servers) or through electronic exchanges (mailing, tracing of Internet users) will have to be protected under the new European regulations.
Key provisions of the GDPR
The GDPR establishes a harmonized legal framework for all EU Member States. The key provisions contained in the text :
The notion of explicit consent: organizations must ensure that users give their explicit consent before collecting their personal data.
- The right to erasure, better known as the “right to forget”: Every EU citizen has the right to request the erasure of all or part of his or her personal data by the data controller on several grounds (e.g. in case of unlawful processing).
- Data portability: Every person has the right to retrieve his or her personal data from the body that collected them, in a structured and commonly used format, in order to transmit them to any other data controller of his or her choice (the same person may also request that his or her data be transmitted directly from one body to another when technically feasible).
- Notification of leaks: In case of hacking, the controller must notify the national data protection authority and the affected users.
- The obligation for public bodies (and private companies with more than 250 employees) to appoint a Data Protection Officer (DPO)
- Privacy by design: Data protection requirements must be taken into account by organizations at the design stage of their products, services, and systems. The purpose of this provision is to protect users’ data in such a way that it cannot be disclosed to third parties, nor allow third parties to know about users’ privacy.
What are the consequences of the GDPR for businesses?
The process of compliance with the GDPR is a complex subject, the implementation of which will require time and significant changes in companies. However, from 25 May 2018, companies will have to prove that they comply with the provisions of the GDPR – and in particular, the significant changes in traceability and mapping of personal data processing that result from the new data protection rules. Beyond these two provisions, all aspects of data security must be taken into account by companies with a view to compliance. This means that priority projects such as:
- Mapping personal data within the company
- Inventory and creation of a data catalog with personal data processing
- Appointing a Data Protection Officer (for companies with more than 250 employees)
- Managing a cross-functional project to deploy solutions and best practices in terms of data security and data management
- Evolution of product, service, and system design methods following the principle of “Privacy by design”
Failure to comply could result in financial penalties of up to 4% of annual worldwide revenues (or up to 20 million euros)! This is a reason to take the bull by the horns and start today with the mechanics of adapting the company to the new requirements of the GDPR.