On the 25th May 2018 the new General Data Protection Regulation (GDPR) for Europe will be active.
In the introductory paragraph of the official website it quite frankly states: “[…] at which time those organizations in non-compliance will face heavy fines.”
But let’s take a step back and have a quick recap: the GDPR replaces the Data Protection Directive 95/46/EC from 1995. Since then the European Union changed quite a bit and among other things opened borders for many economical streams and development, not least a digital one. In 1980 the US and EU agreed on eight principles to improve the Protection of Privacy and Transborder Flows of Personal Data:
- Collection of Limitation Principles;
- Data Quality Principle;
- Purpose Specification Principle;
- Use Limitation Principle;
- Security Safeguards Principle;
- Openness Principle;
- Individual Participation Principle;
- Accountability Principle;
- You can find the detailed principles on the eugdpr overview web-page.
Due to these principles being non-binding and varying degree of compliance across EU member states, an new data protection regulation was proposed by the European Commission 2012. Skipping forward to December 2015, where the European Parliament and Council agreed on the final version of the GDPR successively adopted the new regulation and starting a “2-year post-adoption grace period“, that ends on the 25th of May this year.
The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.
The key changes of the new GDPR in comparison with the previous regulations are:
Increased Territorial Scope (extra-territorial applicability)
… “Non-Eu businesses processing the data of EU citizens will also have to appoint a representative in the EU.”
… “Under GDPR organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).”
… “Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.”
Data Subject Rights
… Breach Notification withing 72 hours of first breach awareness.
… Right to Access personal data free of charge in an electronic format.
… Right to be Forgotten enables the deletion of data, cease of further dissemination, and halt of processing.
… Data Portability introduces the transmission of personal data in a ‘commonly use and machine readable format’ between data controllers and reception for the data subject.
… Privacy by Design enforces the intrinsic implementation of security and privacy measures in system designs and architectures, instead of adding these features by request.
Data Protection Officers
… “[…] appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale […].”
There are some helpful info-graphics, guidelines and coalitions available online. Here are some pointers:
1.The UK Information Commissioner’s Office published a checklist with 12 easy steps to take in preparation of the GDPR:
2. Bird&Bird GDPR legislation implementation tracker:
3. Privacy For Academic Research Cookbok by Marlon Domingus (Erasmus University Rotterdam) for the Digital Curation Centre (DCC) UK:
4. GDPR Awareness Coalition: