The European Union (EU) is getting ready to put a new Regulation into effect called the General Data Protection Regulation (GDPR). This new EU data protection regulation is set to affect businesses all over the world—whether they’re ready for it or not.
With this in mind, we thought we’d put together a quick GDPR summary to help you grasp the basics of the new Regulation so you can be prepared:
What is GDPR?
According to the text of Article 1 of the Regulation, the EU General Data Protection Regulation: “lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.”
To put that in other words, GDPR is the European Commission’s attempt to strengthen and unify the data protection standards that cover all EU citizens (the “natural persons” referenced in the rule’s text).
What some may not realize about the Regulation is the sheer scope of its protection. To protect all of the EU’s citizens, the European Commission made sure that there was language in the Article 3 of the rule to cover “the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union.” The “data subjects,” in this case, being any EU citizen whose data is being processed.
In other words, even if your business isn’t in the EU, if you process the data of an EU citizen, you’ll be subject to the rule and its penalties.
Things to Look Out For
In another post, we outlined six things that every business should know about GDPR before it is implemented.
Some major points of that post included:
- The Rights of Data Subjects. If you process an EU citizen’s data, they will have certain rights as a “data subject,” including:
- You telling them clearly what their rights are.
- You notifying them whenever you’re collecting data (and why).
- You deleting any data you’ve collected if they ask.
- Free access to any data you’ve collected about them.
- The right to object to you processing their data with the expectation that you will cease and desist.
- GDPR’s “Technology Neutrality.” GDPR is considered “technologically neutral,” meaning that the specific means you use to collect, store, and transmit data doesn’t matter—the rules of the Regulation will still apply. This differs from other laws and regulations that tend to be platform- or channel-specific in nature.
- Limitations on the Data You Can Process. When you collect and store someone’s information, GDPR requires that you only process the data you need for a specific task—and that you establish a case for why you need that data.
- Notification Requirements. If a security breach occurs and data is likely to be compromised, GDPR requires you to notify any affected parties “without undue delay.” However, what constitutes “undue delay” is not clearly defined.
Penalties Under GDPR
The text of new EU data protection regulation holds a variety of potential penalties for businesses.
For example, Article 77 of GDPR states that:
“Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating him or her infringes this Regulation.”
Additionally, Article 79 of the Regulation states that “such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence.”
In other words, if an EU citizen believes that their data rights have been infringed, they can bring a complaint against your company and have the complaint resolved in their home country—even if your business isn’t located there.
What are some of the penalties that might be imposed under GDPR?
- Compensation to Data Subjects. One penalty that may be imposed is compensation to, as stated in Article 82 of the Regulation, “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation” for the damage they’ve suffered.
- Fines. Article 83 of GDPR specifies a number of different fines that may vary based on the nature of the infraction, its severity, and the level of cooperation that “data processors” (i.e. you) provide to the “supervisory authority.” Less severe infringements may incur administrative fines of up to 10,000,000 Euros or 2% of your total worldwide annual turnover for the preceding year (whichever is greater), while more severe infractions may double these fines (20,000,000 or 4% annual turnover).
Individual Member States of the EU may have additional fines and penalties that may be applied as well. However, these additional penalties are not specifically listed in the text of the Regulation since they’re up to the individual EU nations to set—the only guidelines in Article 84 of GDPR are that “Such penalties shall be effective, proportionate and dissuasive” and that “Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018.”
So, if you’re looking for information on the penalties that individual EU Member States may impose, it will be necessary to consult either GDPR regulation information from the individual Member States or to look on the EU GDPR website after the May 25 deadline.
Want to learn more about the EU’s data protection regulation? Check out our free GDPR guide at the link below or contact us today!
