Data Breach! Learn about the European Union’s GDPR aka Data Protection Directive | DCR Workforce Blog

Data Breach! Learn about the European Union’s GDPR aka Data Protection Directive

In this age of information, the world has been repeatedly rocked by data breaches, each one bigger and farther reaching than the last!  Not all hackers benefit from their activities. But every such activity breaching data privacy disrupts the lives of many and ruins the reputations of organizations which allowed such a breach to occur.

Data protection is the need of the hour and cannot be taken lightly by countries, companies and even individuals. Now we have the European Union (EU) showing the way to the rest of the world with the passing of General Data Protection Regulation (GDPR), its data protection directive that applies to all its citizens and residents.

Adopted in 1995, the European Union has been loosely following the seven principles given below to protect the personal data of individuals living in the EU, and they were a part of the EU Directive:

  1. Notice: Data subjects should be given notice when their data is being collected
  2. Purpose: Data should only be used for the purpose stated and not for any other purposes
  3. Consent: Data should not be disclosed without the data subject’s consent
  4. Security: Collected data should be kept secure from any potential abuse
  5. Disclosure: Data subjects should be informed as to who is collecting their data
  6. Access: Data subjects should be allowed to access their data and make corrections to any inaccurate data and
  7. Accountability: Data subjects should have a method available to them to hold data collectors accountable for not following the above principles and for not protecting their privacy

Requirements under the GDPR:

The EU’s General Data Protection Regulation affects all businesses in Europe and everyone residing there, but also carries extra-territoriality to control the personal information of all its citizens which is exported outside the EU. Its regulations make the processing of data within the EU uniform and brings it under a single legal umbrella.

Once finalized and enforced beginning in 2018, the GDPR is set to supersede the earlier EU Directive and to impose expectations not just from businesses and individuals in the EU but also from the global entities that deal with these individuals and their personal information including their correspondence, their homes or their private and family life.

Its increased compliance requirements also impose heavy financial penalties for any transgressions (to the tune of €20m or 4% of annual worldwide turnover for groups of companies, whichever is greater.) The fines cover aspects such as:

  • Infringements of the basic principles for processing, including conditions for consent
  • Data subjects’ rights
  • Conditions for lawful international data transfers
  • Specific obligations under national laws permitted by the GDPR, and
  • Orders by data protection authorities including suspension of data flows

Key changes introduced by the GDPR

The sanctions and remedies under the GDPR give regulators unprecedented powers to intervene in business and shape how entities conduct their operations, including the power to impose heavy fines. Non-compliance could potentially render organizations liable to pay fines of billions of dollars. All companies, foreign or local, processing the data of EU residents are covered.

Look at some of the salient regulations that will have to be followed:

  • Obtaining consent for collecting personal data is more rigorous, so entities need to re-think how they engage with people, including their contracting and permissions processes and how they give clear and full information on what is happening to personal data
  • Age of consent for collecting an individual’s data raised from 13 to 16 years old
  • The data subject can rightfully access all data processed about him or her
  • No processing of personal data is allowed, except when certain conditions, with regard to transparency, legitimate purpose and proportionality are met.
  • A company is required to delete data if it’s no longer used for the purpose it was collected under the data subject’s “right to be forgotten”
  • A company is required to delete data if the individual revokes consent for the company to hold the data
  • The data subject has the right to be informed when his personal data is being processed – the controller must provide his name and address, the purpose of processing, the recipients of the data and all other information required to ensure the processing is fair
  • Data may be processed, provided one of the following statements are true about the need and right to process the data:
    • The data subject has given his or her consent
    • It’s linked to the performance of or the entering into a contract
    • It’s necessary for compliance with a legal obligation
    • It’s necessary to protect the vital interests of the data subject
    • It’s necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed
    • It’s necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject
    • Sensitive personal data like religious beliefs, political opinions, health, sexual orientation, race, membership of past organizations require more restrictions
    • Data should not enable identification of data subjects for longer than is necessary for the purposes for which the data were collected or processed
    • No decision which produces legal effects or significantly affects the data subject may be based solely on automated processing of data – if using automatic decision making processes, there must be a form of appeal for the data subject
  • Companies must notify the EU government of data breaches within 72 hours of learning about the breach, and in serious cases, they’ll have to notify the people affected
  • Companies must establish a single national office for monitoring and handling complaints brought under the GDPR
  • Firms handling significant amounts of sensitive data or monitoring the behavior of many consumers are also required to appoint a data protection officer

All member states of the EU shall adopt these tenets to establish appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. Every member state must set up a supervisory authority as an independent body that will monitor the data protection level in that member state and defend against any violations.

Outsiders – countries dealing with the EU

Every global organization that handles data on EU citizens and residents will be affected by the GDPR. Countries outside the EU need to provide an adequate level of protection and promise to comply with the data protection rules.

The US Office of the Director of National Intelligence will give written commitments that Europeans’ personal data will not be subject to mass surveillance. The EU and USA will conduct an annual review to check whether the new system is working properly. An instance of data loss resulting from unlawful processing entitles data subjects to collective redress, the equivalent of a US-style class action lawsuit.

To comply with the GDPR, companies need to map and classify all their personal data as well as document everything they do with data and everything they do to achieve legal compliance. They need to perform risk assessments, design privacy protections into all new business operations and practices, employ dedicated data protection officers plus monitor and audit compliance.

Two years may seem like sufficient time to do all this – but they must start acting now or be found lacking when 2018 rolls around.

What data privacy practices do you think we should institute in the US?

The content on this blog is for informational purposes only and cannot be construed as specific legal advice or as a substitute for competent legal advice. They reflect the opinions of DCR Workforce and may not reflect the opinions of any individual attorney. Do contact an attorney for advice specific to your issue or problem.
Mohan is responsible for guiding business capabilities that align with DCR’s IT strategy. He’s a driving force behind everything that DCR creates, providing thought leadership that results in focused delivery, technical innovation and change. During his downtime, he enjoys water sports including snorkeling and diving.