The European Union’s General Data Protection Regulation (EU GDPR) came into force in May 2018, with the promise to provide a single, harmonised data protection law for the European Union. The GDPR aims to safeguard the personal data of EU subjects, regardless of where that data is held or processed, and as such its reach is global. Both Guernsey and Jersey updated their own laws to ensure the Islands’ remain in line with the EU.
Increased Territorial Scope
One of the biggest changes that the GDPR brings is in respect of its reach. Its scope is all EU citizens and therefore it is extra-territorial. In other words it applies to all companies processing the personal data of EU data subjects regardless of company’s location.
Under GDPR, organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million, whichever is greater. This is the maximum fine that can be imposed for the most serious infringements e.g. having insufficient customer consent to process data or violating the core principles.
There is a second rule under which a company can be fined up to 2% of annual global turnover or €10 million for not having their records in order (article 28), not notifying the supervising authority and affected data subjects about a breach or not conducting impact assessment.
It is important to note that these rules apply to both data controllers and data processors - those third party organisations which provide outsourcing services, including "cloud" providers.
Under the GDPR, breach notification will become mandatory where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. Data processors will also be required to notify their customers, the controllers, “without undue delay” after first becoming aware of a data breach.
Privacy by Design
Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. At its core, privacy by design calls for the inclusion of data protection from the start of process or system design, rather than as a subsequent addition. More specifically - 'The controller shall implement appropriate technical and organisational measures in an effective way in order to meet the requirements of this Regulation and protect the rights of data subjects'. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
Data Subject Rights
The GDPR defines 8 rights for individuals:
Right to be Informed
All organisations must be completely transparent in how they are using personal data (personal data may include data such as a work email and work mobile if they are specific to an individual).
Right to Access
Part of the expanded rights of data subjects outlined by the GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
Right to Correction/Rectification
All individuals will have the right to have personal data rectified if it is inaccurate or incomplete.
Right to be Forgotten
Also known as the right to data erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.
Right to Restrict Processing
All individuals have the right to block or suppress processing of their personal data.
Right to Data Portability
GDPR introduces data portability, the right for a data subject to request a copy of any data held about them and also request that the information be transmitted to another data controller. The regulation doesn't detail specifics for this, only to say that information must be provided in a 'structured, commonly used and and machine-readable format'.
Right to Object
in certain circumstances, individuals are entitled to object to their personal data being used. This includes, if a company uses personal data for the purpose of direct marketing, scientific and historical research, or for the performance of a task in the public interest.
Right to not be subject to automated decision making and profiling
The GDPR has put in place safeguards to protect individuals against the risk that a potentially damaging decision is made without human intervention. For example, individuals can choose not to be the subject of a decision where the consequence has a legal bearing on them or is based on automated processing.