As an in-house lawyer, it’s important that you’re aware of the new General Data Protection Regulation (GDPR) replacing the data protection directive of 1995 (officially Directive 95/46/EC) on May 25th, 2018.
Familiarise yourself with the new regulation and how it will impact your business with this short GDPR introduction for General Counsel.
What is the GDPR? What’s the aim?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation from the European Parliament, the Council of the European Union and the European Commission intended to strengthen and unify data protection for all individuals within the European Union (EU).
With the rapid growth of the internet and cloud technologies, companies have increasingly more ways of using and sharing the personal data they collect. The primary objectives of the GDPR is to close gaps in the old directive, giving control back to citizens and residents over their personal data, and to simplify the regulatory environment for international business by unifying the regulation within the EU.
When does it apply?
The regulation came into force on 24 May 2016 but the law will not apply to businesses and organisations until May 25th, 2018.
Who does it apply to?
If your business collects, stores or uses EU citizens’ personal data you are subject to GDPR.
GDPR defines parties as either “controllers” or “processors”. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. For example, a controller could be any small business, while a processor could be an IT firm doing the actual data processing.
It is important to note that even if controllers and processors are based outside the EU (including the UK post-Brexit), the GDPR will still apply so long as they deal with personal data belonging to EU citizens.
Will GDPR be affected by Brexit?
The short answer is “no”. On 21 June 2017 the UK Government confirmed its intention to bring the EU General Data Protection Regulation (the “GDPR”) into UK law, ensuring the country’s data protection framework is “suitable for our new digital age, allowing citizens to better control their data.” (click here for further reading)
What are the penalties for non-compliance?
Fines for non-compliance can be up to 4% of annual worldwide turnover or €20 million, whichever is greater.
How will GDPR affect legal matters?
GDPR will apply to all organisations of any size that are resident in the EU, carry out business with EU residents or process any EU citizen’s personal information. As such, as General Counsel, it will be important to mitigate risks associated with how you collect, store and use personal data.
Here are just a few of the types of personal data that will be covered by the regulations:
- Any data you hold for marketing purposes
- Data in your contract, compliance, entity, corporate housekeeping management systems
- Emails and correspondence, both internal and external, since many of these will relate to clients and to their employees and will therefore contain personal data.
GDPR imposes a number of obligations on you in relation to this data, including that you must:
- Have an accurate record of the data you hold and process, its geography, security usage and composition
- Be able to demonstrate how is was collected, and whether it is permitted by law or by the client
- Provide information on how the data is used and on the rights of individuals regarding their data
- Demonstrate that you are managing personal data in a manner compliant with the regulations and be able to supply, on request, the details of the data you hold and how it has been used
- Allow individuals to exercise a range of individual rights, including the right to be forgotten, right of data portability and right of access.