The regulations were released in 2016 with a date for implementation by May, 2018. Any organisation around the world that collects personal data on EU residents will have to meet GDPR compliance or face financial penalties. Personal data refer to information that can be linked to a personal identifier, a reference, or a code, either directly or indirectly. Data that has been made anonymous, by removing all identifiers (e.g. statistical survey data) will be exempted.
The cost of non-compliance is significant. Financial penalties would be up to 20 million Euros or 4 percent of total worldwide turnover (for the previous year).
What Does GDPR Compliance Mean?
Full compliance with GDPR will require both organisational and technological measures. Organisations will have to appoint a special data protection officer and will have to conduct a data protection impact assessment. Technological measures to protect personal data will have to include:
- Data classification.
- Data loss prevention.
- Explicit consent management.
- Limitations to data transfer.
- Technologies that enable data subjects to exercise their rights to access, rectify errors, and limited rights to erase personal data.
The Data Protection Impact Assessment (DPIA)
A data protection impact assessment has to be completed when an organisation is storing data that is “likely to result in high risk to the rights and freedoms of natural persons.” The evaluation considers these possible areas of concern. If data collection and processing include concerns about any two of these conditions, a DPIA will be required.
- The way data is scored and profiles are made.
- Automated decision-making regarding data.
- Systematic monitoring of individuals.
- The way sensitive data is processed.
- Processing data on a large-scale.
- The way data sets are matched or combined.
- Processing data regarding vulnerable data subjects.
- Instances where the data processing prevents data subjects from exercising a right or the use of a service or contract.
The DPIA should be regarded as an ongoing process, not a one-time evaluation. The company controller will be responsible for the DPIA, supervising any professional hired to carry it out. The actual methodology of the DPIA is not specified. There are a number of acceptable methods in the EU guidelines list.
Organisations that process personal data about EU residents will have to demonstrate compliance with the GDPR. The right to process personal data is limited by law. Data subjects must “give consent to the processing [of his or her personal data] for one or more purposes. The processing must protect the vital interests of the data subjects. Organisations will have to be able to justify their data processing as conducted in a legal way. Organisations processing personal data have to be in a position to comply with a request by a data subject to stop processing if consent is removed (where consent is legally required).
The form of consent is clearly defined. Consent must be “a clear affirmative action”. Consent cannot be implied through the use of an “opt-out” or assumed consent. The law also prohibits making consent to data collection a condition for participation. The data subject always has the right to withdraw consent to allow his or her data to be included.
Data that reveals a person’s race, ethnic origin, religion, trade union membership, genetic data, biometric data that would identify a person, health data, sexual orientation cannot be included in a personal database without special permission of the data subject. Using data to uncover personal relationships and other matters that does harm to the data subject is likewise not legal.
The GDPR is a strict interpretation of the human rights attitudes expressed in the European Union.