2016 EU General Data Protection Regulation
Article 8(1) of the Charter of Fundamental Rights of the European Union and Article 16(1) of the Treaty lay down that everyone has the right to the protection of personal data of him or her. Following this fundamental right, the European Parliament und the Council have agreed on a regulation to make this happen. This regulation [pdf] is expected to be set active in Q2/2018.
This article is planned to be the first in a series to explain what the new EU General Data Protection Regulation means to europe citizens and organizations in terms of personal data, and also to those organizations and companies offering goods and services to any individual residing in the EU.
This first document will offer a short abstract on what is to be expected, while the following docs will go further into details on the different aspects. The regulation is (as of today) not published in the Official Journal yet, which is expected to happen in the next weeks. However, the texts (and regulations) available today will not significantly change any more.
Should I care?
The regulation will have a massive impact for any company dealing with personal data of EU-Citizens: It does not matter if the company is based in the EU, US, or from outer-space. In other words: any organization offering services to individuals in the EU Market is affected, and needs to make sure to take the new regulations into account, latest in Q2-2018, when the regulation is finally in place.
What if I do not care?
As an organization offering services in the EU and violating (which means: not following) the regulations, you risk panalties up to 20 Mio EUR or even 4% of your annual worldwide turnover.
So what means personal data processing?
Basically: everything you can do with data, from collection to erasure. Data is personal, as long as it can be linked or belongs to a real person.
But it is still allowed?
For sure, yes. But only if you do that in a lawfully, fairly and transparent manner; while taking into account and provide: purpose limitation, data minimisation, accuracy, storage limitation in time and integrity/ confidentiality.
No. Processing of data is lawful only if one of the following applies: given consent of the subject, performance of a contract or legal obligations, vital interests, public interest or legitimate interests.
Yes, If you have a legitimate interest (or any of the other points above apply), you can work with the data. But you have to make sure to make your processing transparent to the subject of the data.
What means transparency?
As soon as you start collecting the data, you have to inform the subject about this process in clear and understandable language. You have to provide a couple of details to the subject about it, including the why, who, when, for whom, how long, his/her rights, your obligations and a few of more things.
And while we talk about obligations: you need to be prepared to offer your costumer the right to limit the data processing, which effectivly gives them the 'right to be forgotten'. You need to be able to easily transfer the data to another party on request as well. And you must be able to prove this.
Because of the transparency requirements, you have to have processes and regulations in place to offer all this - And you are required to provide evidence on this on request!
Based on the specific risk to the personal data you manage, you have to have data protection management processes in place. If you have more than 250 employees, you have to have an overview on which processes are affected and how you process personal data.
Privacy by Design?
Requried. According to Art. 23 of the regulation, you have to implement appropriate techniques to provide data protection by design and by default.
Scary! So whats next?
In the next articles in this series we will have a deeper look into the different areas and requirements. Stay tuned!