Data Protection Act: What to Know About GDPR

GDPR stands for the General Data Protection Regulation and was passed by the European Parliament, the Council of the European Union and the European Commission. It is meant to replace the Data Protect Directive and supersede the Data Protection Law of 1998 in the United Kingdom. GDPR is one of the largest data protection laws passed globally and affects not just EU citizens or EU corporations alone. The law became compulsory on 25 May 2018all persons inside the European Union will now have the right to know how their data is controlled—not just within the EU but globally. For corporations and organizations that do business in the EU or have customers in the EU, the law sets up numerous regulations that not only lambaste those who do not follow but enforce strict monetary penalties – both upon individuals like board directors and on corporations.

Whether you are a citizen of the European Union, someone with plans to travel in the EU, a corporation or entity located in the EU, a board member on a company that serves EU customers or a global entity, it is likely that GDPR and it’s laws on data protection affect you directly in some way. With 99 articles in this sweeping legislation that outlines numerous core tenants of data protection and the responsibilities of organizations of any size that store any kind of data, it can be tough to get a sense of what you need to know about GDPR. This GDPR readiness guide and accompanying white paper will help you and your organization be ready for GDPR – and avoid the massive personal fines and organizational restrictions resisters can accrue.

What Is the Data Protection Law

Prior to GDPR, the Data Protection Act of 1998 was a United Kingdom Act of Parliament that was modeled after the EU Data Protection Directive of 1995. Affecting corporation or company use rather than personal use, the data protection the act defined fell into 8 area of protection with various exemptions.

The primary relevance of the Act was the creation of a clear definition of personal data, defined in this act as any data that can identify a singular individual in any manner. The Act also outlined that individuals have the right to Subject Access Requests (for a fee) from any organization that holds data on that individual.

The complications of the Act derived from its unwieldy size. As it was a large and complex law, many organizations were unsure of the aims or primary principles of the Act. The enforcement of the Data Protection Act was also challenging as it did not extend throughout the full European Union or hold global entities responsible and had fewer protections on personal data than on sensitive personal data. With the expansion of the Internet and the advent of cloud-based technologies, enforcement for data centers outside of the U.K. became equally problematic.

A primary goal of the Global Data Protection Regulation was to override the Data Protection Act of 1998 in order to create a simpler law with stricter enforcement with a global reach.

What Is GDPR?

GDPR is, like the Data Protection Act before it, an Act that seeks to strengthen data protection of individuals. Moreso than any Act before it, the GDPR encompasses the full European Union and addresses personal data outside of the borders of the E.U.The full scope of the GDPR encompasses not just data subjects of entities within the E.U. but also any processor – cloud-based or otherwise – that is based in the E.U. For example, a United States-based company with a client in the E.U. is just as liable for a breach of data as an organization located in the E.U. physically.

Key Highlights of GDPR: Basics

  • Individuals have the right to know how their data is handled, stored and regulated. The onus of keeping track of data is no longer on the data subject but on the data processor (the organization or representative of an organization capturing or storing data).
    • To this end, GDPR requires that each data processor have a Data Protection Manager (also referred to as a Data Protection Officer). The primary responsibility of the Data Protection Manager is similar to a Compliance Officer and is expected to manage all data within an organization, including but not limited to: IT processes, information privacy issues, data storage and protection, cyber-attacks, breaches of data protection and both personal and sensitive data.
  • GDPR looks to achieve a “Digital Single Market,” in so much as all E.U. members will follow the regulation. Each member of E.U. will be responsible for creating their own Independent Supervisory Authority to serve as a regulatory unit for complaints, concerns and enforcement. Similarly, a company will have a “one-stop shop” that is responsible for supervising all behaviors under the regulation, no matter how many locations they may or may not have to reside within the E.U. This seeks to limit the confusion between different laws in various countries within the E.U. and on the consumer side as well.
  • GDPR levies heavy financial penalties both for non-compliance and for a breach of data protection. Depending on the severity of a data breach, an organization can be fined up to 10,000,000 Euros or 2% of the companies annual revenue -whichever penalty is higher. A severe data breach can cost an organization as much as 4% of their annual revenues for a data breach.

What Is Sensitive Personal Data? What Is Meant By Personal Data?

GDPR allows regulators the opportunity to refine and modernize the definitions of data as it relates to an individual. Both sensitive and personal data are protected by GDPR, though higher fines are accrued for breach of data protection as it relates to sensitive personal data.

Personal data is any data that relates to a living individual that can assist in identification of the individual. For example, phone numbers, addresses of current or former domiciles, eMail addresses, or digital data like non-anonymized cookies or IP addresses.

Sensitive personal data is a specific type of personal data that includes any details of ones race, ethnicity, political affiliations, health biometrics, sex life or criminal records.

How Does GDPR Affect Me?

As an individual, the Global Data Protection Regulation imbues an individual with distinct rights when it comes to any of their personal data. Some of these rights include:

  • The Right to Be Forgotten – also referred to as the Right to Erasure: this allows an individual to request a company removes all data that they have stored on that data subject. The individual can decide on the scope of that data.
    • Example: An individual can ask that their eMail is removed from mailing lists or complete removal of all their data from the server). An organization is responsible for illustrating that they have complied with such a request.
  • Personal data must be protected by default. An example of this is pseudonymization (also referred to as Data Masking) that removes any links that can trace that information to the individual data subject.
    • Example: a credit card number contains 16 digits. Masking the data would still maintain a 16-digit format would change the numbers so that the original credit card number could not be elucidated.
  • Notification For A Breach of Data Protection: If the Data Controller is aware of a breach of data protection that comprises your personal data, they have a 72-hour (when feasible) to alert the data subject. If they are unable to notify a data subject within that window of time, they must provide credible and substantive reasons to why they did not notify in the allocated window of time.

Don’t know where to start to prepare your board for GDPR? See 8 ways you can get prepared today

How Does Data Protection Affect My Board?

GDPR changes the responsibilities of the board of directors immensely as it comes to data protection and information privacy. The primary step involves appointing a Data Protection Manager (also referred to as a Data Protection Officer). Numerous experts feel that this should be a board-level position. However, finding someone with the unique skill set to mitigate financially, IT, audit and compliance and legal issues is not an easy task.

The board of directors also will play a role in data protection that can create personal and company-wide liabilities. If an action by the board of directors or an individual board member is found to be culpable of fault in a breach of data protection, criminal charges may be pressed. Even beyond criminal actions, the board of directors or the organization itself may engage in other actions, such as termination of a director, due to fault in protecting personal data.

Whether a director on a board, an executive or an advisory, it is a key step in preparing for GDPR to make sure that your board is aware of the systemic and endemic regulations of GDPR.

How Does GDPR Affect My Company?

The Global Data Protection Regulation affects your company if collect, retain or have ever collected data and any of the following are true:

  • You have customers – current or former – residing within the E.U.
  • You have locations or entities located in the E.U.
  • You house any data within the E.U.
  • You have any customer or employee who has traveled in the E.U.
    • This particular regulation of GDPR protects those who may be traveling through the E.U. but are not E.U. citizens – whether the travel is for business, pleasure or country (in the case of the military)

In broad terms, your organization or company is the Controller of data. As Controller, you may use any number of Processors to collect, modify or store data (for example, a payroll company for your employee salaries or a cloud-based technology company that manages your servers).

Eight Ways Board Directors Should Be Preparing for the GDPR Right Now

Need help preparing for GDPR or any other corporate governance matter? Let us help you today

Readiness Checklist: How To Prepare for GDPR

While the Global Data Protection Regulation may feel like a looming threat, it is a key regulation of good corporate governance. The slower rollout of the enforcement period is meant to allow organizations the time that they need to become prepared for GDPR.

Does your organization need help in preparing for GDPR?

Diligent Corporation, the premier enterprise governance management SaaS solution is ready to help with all of your corporate governance needs – and beyond. Start by asking the following questions of your organization. For more tips on how your board of directors can prepare for GDPR, download our white paper or contact us.

Learn how to prepare for GDPR