GDPR
The General Data Protection Regulation (GDPR) is an EU-wide regulation designed to strengthen the protection of personal data within the European Union. It came into effect on May 25, 2018, replacing the previous Data Protection Directive 95/46/EC. The GDPR defines how companies and organizations may collect, process, and store personal data and outlines the rights that individuals have regarding their data.
Requirements for Companies
Companies that process personal data must meet several requirements to comply with the GDPR:
- Consent: The processing of personal data is only allowed with the explicit consent of the individual concerned. Consent must be freely given, specific, informed, and unambiguous.
- Data Protection by Design and by Default: Companies must ensure that systems and processes are designed from the outset to meet data protection requirements. This includes collecting and processing only the data necessary for the purpose of the processing.
- Information Obligations: Companies must transparently inform individuals about the processing of their data. This includes providing details on what data is being processed, for what purpose, and for how long. Individuals must also be informed of their rights.
- Rights of Data Subjects: The GDPR significantly strengthens the rights of individuals. These include the right of access, rectification, erasure (“right to be forgotten”), restriction of processing, data portability, and objection.
- Notification of Data Breaches: Companies are required to report data breaches to the relevant supervisory authority without undue delay, and within 72 hours if the breach is likely to result in a risk to the rights and freedoms of individuals.
- Data Processing by Third Parties: When companies outsource the processing of personal data to third parties (e.g., cloud providers), they must ensure that these third parties also comply with the GDPR.
- Data Protection Officer: Companies must appoint a Data Protection Officer (DPO) if they conduct large-scale processing of special categories of personal data or if data processing is a core activity of the company and requires regular and systematic monitoring of individuals.
- Data Protection Impact Assessment (DPIA): For high-risk data processing activities, especially when new technologies are used, a DPIA must be conducted to assess the risks to the rights and freedoms of individuals and to identify appropriate measures to mitigate those risks.
Necessary Steps for Implementation
To implement the GDPR requirements, companies should take the following steps:
- Data Inventory and Audit: Create a comprehensive inventory of all personal data processed within the company. Conduct a data protection audit to assess whether current practices comply with the GDPR.
- Adjust Processes and Policies: Revise internal processes and policies to ensure they meet the GDPR requirements, particularly regarding consent management, information obligations, and the implementation of data subject rights.
- Employee Training: Raise awareness and provide training for employees, particularly those who regularly handle personal data, on the GDPR requirements.
- Technical and Organizational Measures: Implement technical and organizational measures to ensure data security. This includes encryption, access controls, and regular security assessments.
- Appoint a Data Protection Officer: If required, appoint a Data Protection Officer and notify the relevant supervisory authority.
- Documentation and Accountability: Document all measures taken to implement the GDPR. This documentation is crucial for demonstrating compliance to supervisory authorities in the event of an audit.
- Definition of continuous improvements: Defining the intervals for the deming cycle to successively improve data protection measures, regular reviews and further adjustments to comply with the GDPR, as well as applying this systematic approach to ensure compliance and respond to new challenges.
Which Companies Must Implement the GDPR?
The GDPR applies to all companies that operate within the EU or process personal data of individuals residing in the EU. This means that not only EU-based companies must implement the GDPR, but also companies outside the EU that offer goods or services to, or monitor the behavior of, EU citizens (e.g., through tracking technologies on websites).
When Must Companies Implement the GDPR?
The GDPR came into effect on May 25, 2018, and from that date, all affected companies must comply with the regulations. Companies established after this date or that previously did not process personal data must implement the GDPR from the moment they start processing data.
Companies that processed personal data before the GDPR came into effect had to adjust their processes and systems to meet the new requirements by May 25, 2018. Non-compliance with the GDPR can result in severe fines of up to 20 million euros or 4% of the global annual turnover, whichever is higher.