“What’s This New European Privacy Law About?”: Demystifying the General Data Protection Regulation (GDPR)

Share |

With just over a week until the European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect, companies around the world are coming into compliance with the far-reaching law. Inboxes everywhere have been overflowing with consent notifications over the past few months. If you’re just getting started on GDPR or generally curious, here is a brief overview of the GDPR.

Disclaimer – GDPR is broadly written and is context-specific. If your company is in need of compliance help, consider engaging with an outside firm to address your compliance needs.

1.      What is the “GDPR?”
The General Data Protection Regulation (GDPR) is a European Union regulation focused on privacy and data protection for individuals within the EU. It also regulates, among other things, the export of personal information outside of the EU. This law replaces the 1995 Data Protection Directive and goes into effect on May 25, 2018.

Who needs to comply?
The GDPR applies to organizations, private and public, that collect information from EU residents and organizations that process information about EU residents. Anyone outside of the EU who regularly processes the personal data of people in Europe must comply.

What are the basic requirements of GDPR?
In practical terms, the big change for companies is that most of them will have to ask people for opt-in consent in order to process personal information. There are five other “lawful bases” for processing personal information, but most companies will use consent. There are also more stringent data breach requirements.  People have rights enumerated under the GDPR such as “the right to be forgotten,” access to data, the right to correct errors, the right to obtain their data in a machine-readable format and switch to a competitor, and the right to have a human look into an automated decision, as well as receive an explanation as to how an automated decision-making algorithm arrives at its decision.

What is the difference between a controller and a processor?
A controller is a person, public authority, organization, or company which determines what types, how, and why data is processed. A processor is a person, public authority, organization, or company which processes data on behalf of the controller. For example, a school based in the EU collects data about its EU-resident students and contracts with a student information system to store and process that data – the school is the controller and the student information system is a processor. 

What is a Data Protection Officer?
Any organization that processes or stores large amounts of personal data is required to appoint a Data Protection Officer (DPO) under the GDPR. Article 39 in the GDPR enumerates the responsibilities of a DPO which include educating the company and employees of obligations under GDPR as well as to monitor compliance with the GDPR. Some companies will find that they do not have to appoint a DPO, but that it might be helpful to have one to demonstrate their commitment to comply with the GDPR. Firms do not have to create a separate headcount for a DPO – DPO responsibilities can be delegated to an existing employee.  

What is the European Data Protection Board (EDPB) and how does it relate to the GDPR?
The EDPB succeeds the Article 29 Working Group and is in charge of the application of the GDPR as of May 25, 2018. The EDPB is made up of each EU member state’s Data Protection Authority (DPA) and the European Data Protection Supervisor (or their representatives). This body will ensure that the GDPR is applied consistently across the EU. 

What happens if I don’t follow GDPR?
Penalties for non-compliance will be up to 4% of global annual turnover or €20 million, whichever is higher.  Moreover, an increasing number of companies with no presence in Europe are being asked to certify by their business partners that they are GDPR-compliant.  

What is the ePrivacy Regulation?
The EU’s draft ePrivacy Regulation was first released in January 2017 and is still in draft stage.

For more information, we have webinar slides available here that go in to more detail.
What is the GDPR?
2: GDPR: Processor-Controller Responsibilities

Sara Sara Kloek is SIIA's Director for Education Policy.