GDPR Fundamentals: Data Protection Officers

Most organizations who are required to comply with GDPR will have a Data Protection Officer (DPO). The requirement to have a DPO applies if you are a public authority, if your regular activities require large-scale and systematic monitoring, or if your core activities consist of large-scale processing of special categories of data.

Qualifications of a Data Protection Officer

When hiring a DPO, GDPR specifies that the individual must have the required expertise and experience not only in data protection, but in the corresponding processing activities. So, if an organization is a payment processor, their DPO should have familiarity with both financial transactions and the corresponding data protection regulations.

Responsibilities of a Data Protection Officer

GDPR describes several tasks for a DPO to perform, including:

  1. Inform and advise its organization on how to involve employees with GDPR obligations
  2. Monitor and review compliance with GDPR and other data protection laws
  3. Advise and monitor Data Protection Impact Assessments
  4. Be the primary point of contact for supervisory authorities
  5. Cooperate with supervisory authorities in the course of an investigation or inquiry

What a Data Protection Officer Needs

From an organizational perspective, you must provide your DPO with a few things:

  • A DPO must have independence to perform their tasks. They cannot be unduly influenced to bring a specific outcome.
  • A DPO must be accessible both to internal employees and to data subjects.
  • DPOs must also have requisite resources to perform their tasks; this could mean time, money, training, or other resources.

So, what have we learned about DPOs? A DPO is an individual that has expert knowledge of data protection laws, is independent from an organizational perspective, cannot be told how to do their job, and cannot be penalized for doing their job. This could be a person who’s also fulfilling other roles within an organization (without a conflict of interest), but it could also be an outside contractor. Most organizations are going to require a DPO.

Video Transcript

GDPR requires certain organizations to have Data Protection Officers. The requirement applies if you are a public authority or a body; your regular activities require large-scale, regular, and systematic monitoring of individuals (i.e. tracking online behavior); or your core activities consist of large-scale processing of special categories of data or data related to criminal convictions or offenses. For example, a hospital who’s processing large-scale quantities of healthcare data would require a Data Protection Officer. From a professional perspective, most organizations are going to require a Data Protection Officer.

GDPR specifies the qualifications of a Data Protection Officer in a limited capacity. The law says that Data Protection Officers should have the required expertise and experience with data protection laws. Guidance also indicates that Data Protection Officers should have experience and expertise that corresponds with the processing activities of their organizations. A couple of examples are: if an organization performs complex artificial intelligence review of advanced cybersecurity threats, then their Data Protection Officer should have familiarity with both artificial intelligence and cybersecurity threats and the corresponding laws. If an organization is a payment processor, then the Data Protection Officer should have experience with both financial transactions and the corresponding financial laws that govern those financial transactions.

GDPR specifies five tasks for a Data Protection Officer to perform. First, a Data Protection Officer must inform and advise its organization on including its employees on the company’s GDPR obligations. Second, a Data Protection Officer must monitor and review compliance with GDPR and other data protection laws. That includes reviewing an organization’s internal policies and procedures, as well as raising awareness of data protection issues, training staff, and conducting internal audits. Third, a Data Protection Officer should advise and monitor Data Protection Impact Assessments. Fourth, Data Protection Officers are a primary point of contact for supervisory authorities. Fifth, Data Protection Officers much cooperate with supervisory authorities in the course of an investigation or an inquiry.

A Data Protection Officer must have the requisite independence to perform their tasks. They cannot be unduly influenced by senior management to come out with a specific outcome regarding advice or a compliance review or input into a Data Protection Impact Assessment. A Data Protection Officer can be both an internal candidate or a contracted party. Either way, a Data Protection Officer must be accessible both to internal employees and to data subjects. One of the ways that an organization can make their Data Protection Officer available is to publish their contact information on a corporate web page, for example. The can also notify their supervisory authority about the identity of their Data Protection Officer.

Data Protection Officers must also have requisite resources to perform their tasks. That means that they have to have enough time to do any other job that they do along with enough time to perform their responsibilities as a Data Protection Officer. They may require financial resources; they may require hardware and software resources; they may require staff to perform their tasks. The Data Protection Officer responsibilities cannot be delegated among multiple individuals, but the Data Protection Officer can receive support form individuals within the organization to fulfill their responsibilities. Finally, a Data Protection Officer might require resources such as training and ongoing education around GDPR and other data protection laws. As I said at the beginning, most organizations are probably going to require a Data Protection Officer. For more guidance on the requirements and responsibilities of a Data Protection Officer, see the Article 29 Working Party guidance on Data Protection Officers.

GDPR Fundamentals: Roles Under the Law – Controllers, Processors, and Joint Controllers

GDPR divides responsibilities for organizations processing personal data based on their role, so determining which role your organization plays is one of the first steps towards GDPR compliance. You cannot know what your requirements or obligations under the law are until you do so. There are three major roles under GDPR: controllers, processors, and joint controllers. Let’s discuss what each of these roles mean and how your organization can determine which role it plays.

What is a Controller?

A controller is the organization who determines the purpose and means for processing. A controller has the most authority over processing activities and most likely has interaction with the data subject. A controller may determine things like:

  • What kind of personal data to collect and the legal basis for doing so
  • What the purpose of processing is
  • What methods will be used to collect personal data
  • How to store personal data
  • The detail of security surrounding the personal data
  • The means used to transfer personal data from one organization to another
  • The methodology behind data retention
  • The means used to delete or dispose of personal data

Some other responsibilities of controllers are handling data subjects’ rights requests through investigation, review, and response. Controllers are also responsible for performing Data Protection Impact Assessments, which is a formal process for reviewing and mitigating the risks of processing activities to data subjects. Controllers also have the responsibility of notifying supervisory authorities and data subjects in the event of a data breach.

What is a Processor?

A processor is organization that processes data on behalf of a controller. Processing is essentially anything done to the data, including storing, archiving, or reviewing. A processor helps the controller perform its obligations under GDPR but has no independent authority to determine what to do with the data or how to perform processing activities. Because processors can only act under the authority of a controller, their major responsibility is to support the controller.

What is a Joint Controller?

A joint controller is an organization who shares both personal data and decision-making authority with one or more other controllers. In a joint controller situation, the organizations must clearly define the responsibilities among joint controllers. The organizations must share authority over the data, not just share a data pool.

There are some responsibilities among controllers, processors, and joint controllers that are identical – the need for a data protection officer, documentation of processing activities, security over processing activities, designation of an EU representative, and liabilities under GDPR.

Are you subject to the responsibilities of controllers, processors, or joint controllers? Let’s find out today! Contact us to get in touch with a GDPR expert.

Video Transcript

GDPR divides responsibilities for organizations processing personal data based on their role. There are three potential roles under the law: controllers, processors, and joint controllers. A controller is the organization who determines the means and the purposes for the processing. This is the organization that most likely has interaction with the data subject and will generally obtain the personal data from the data subject. A controller may also be a controller because it has independent legal obligations, such as an attorney or an accountant. A processor is a service organization that simply helps the controller perform its obligations under GDPR but has no independent authority to determine what to do with the data or how to perform a certain processing activity.  A joint controller is an organization who shares both personal data and decision-making authority with another controller.

So, with those three roles identified under the law, let’s talk a little bit about what are some differences between a controller and processor. First, controllers are primarily responsible for handling data subjects’ rights requests. They are the ones that are responsible for investigating, reviewing, and responding to data subjects’ requests. Controllers are also responsible for performing Data Protection Impact Assessments. Those are processes for reviewing and mitigating the risks of processing activities to data subjects. Controllers also have the responsibility of notifying the supervisory authorities and data subjects in the event that there is a personal data breach. Processors, on the other hand, have the responsibility to only act under the authority of a controller, to notify a controller instead of a supervisory authority if there’s a breach, and to support rather than perform Data Protection Impact Assessments.

However, there are some responsibilities under GDPR that are identical between controller and processor. First, if applicable, both controllers and processors must have data protection officers. Second, if applicable, both controllers and processors must document their processing activities. Third, if applicable, both controllers and processors must designate a representative in the EU. Two additional identical responsibilities between controllers and processors are ensuring that their processing activities are secure and both controllers and processors are jointly and severely liable under GDPR for violations of the law.

Now, it’s already challenging to determine if an organization is a controller or a processor, but it should be noted that organizations may be both controllers and processors for different data subjects. For example, an organization that’s a software service provider may be a processor in its core activity of providing software; however, it may be a controller in its marketing efforts and as an employer. So, in that case an organization would have all of the responsibilities of a controller and all of the responsibilities of a processor.

GDPR Fundamentals: Legal Basis For Processing

6 Legal Bases for Processing Personal Data

One of the seven major data processing principles of GDPR is to ensure that personal data is processed lawfully, fairly, and transparently. To comply this principle, Chapter 6 of the GDPR requires any organization processing personal data to have a valid legal basis for that personal data processing activity. Think of these as scenarios in which it would be lawful to process data. GDPR provides six legal bases for processing:

  1. Consent – The data subject has given permission for the organization to process their personal data for one or more processing activities. Consent must be freely given, clear, and easy to withdraw, so organizations need to be careful when using consent as their legal basis. For example, the age of automatically-checked consent boxes is coming to an end through GDPR.
  2. Performance of a Contract – Self-explanatory, right? The data processing activity is necessary to enter into or perform a contract with the data subject. If the processing activity does not relate to the terms of the contract, then that data processing activity needs to be covered by a different legal basis.
  3. Legitimate Interest – This is a processing activity that a data subject would normally expect from an organization that it gives its personal data to do, like marketing activities and fraud prevention. If legitimate interest is used as a legal basis for processing, the organization must perform a balancing test: is this processing activity necessary for the organization to function? Does the processing activity outweigh any risks to a data subject’s rights and freedoms?  If the answer to either of those questions is “no,” then the organization cannot use legitimate interest as its legal basis for processing.
  4. Vital Interest – A rare processing activity that could be required to save someone’s life. This is most commonly seen in emergency medical care situations.
  5. Legal Requirement – The processing activity is necessary for a legal obligation, such as an information security, employment or consumer transaction law.
  6. Public Interest – A processing activity that would occur by a government entity or an organization acting on behalf of a government entity.

Challenges for Choosing a Legal Basis

Choosing the appropriate legal basis for processing is extremely important for several reasons, including:

  • There must be only one legal basis for processing at a time, and that legal basis must be established before the processing begins. Under GDPR, organizations cannot establish the legal basis after processing personal data or alternate between legal bases.
  • Whichever legal basis is chosen must be demonstrable at all times. An organization must be able to show internally, to data subjects, and to regulatory entities what legal basis it uses for each data subject. For example, organizations must be able to demonstrate when and how a data subject provided consent or executed a contract.
  • The legal basis for processing has a significant impact on the way that an organization responds to data subject rights requests because there are conditions, exceptions, and limitations on requests depending on the legal basis for processing.
  • If an organization uses multiple bases to process different data processing activities, the organization should be able to distinguish between which legal bases is being used for which data set and respond correctly to data subject rights requests.
  • Special categories of data (such as race, ethnic origin, religion, trade union membership, biometrics, and health data) have unique legal bases for processing that includes preventive or occupational medicine, public health, collective bargaining agreements, and the legitimate activities of non-profit organizations.

It’s important to note that one legal basis for processing isn’t universally superior to another legal basis for processing. The most effective legal basis for processing depends on the purpose for processing, the type of personal data being processed, and the relationship with the data subject. Choosing which legal basis is appropriate for processing activities is incredibly important; if the wrong legal basis is chosen, it could result in unlawful processing, noncompliant response to data subject rights, and inadequate organizational and technical data processing controls.

Video Transcript

GDPR requires any organization processing personal data to have a valid legal basis for that processing activity. The law provides six legal bases for processing: consent, performance of a contract, a legitimate interest, a vital interest, a legal requirement, and a public interest. First, most organizations ask if they have to have consent to process data. The answer is, not necessarily. As I mentioned, consent is just one of six legal grounds for processing data. If you do use consent, you should know that consent must be freely given, clear, and it must be as easy to withdraw consent as it is to give consent.

Legitimate interest, for example, is something like a marketing activity. That’s a processing activity that a data subject would normally expect an organization that it gives its personal data to do. However, if an organization uses legitimate interest as its valid legal basis for processing, it has to perform a balancing test. Is the processing activity necessary for the organization to function?  Does the processing activity outweigh any objection or risks to a data subject’s rights and freedoms? The contract is pretty self-explanatory. Public interest is a processing activity that would occur by a government entity or an organization acting on behalf of a government entity. Vital interest would be a rare occasion where processing data would be required to save someone’s life.

The reason why the legal basis for processing is so important is because the legal basis must be demonstrable at all times.  An organization must be able to show internally, to data subjects, and to regulatory entities what legal basis it uses for each individual whose data it processes. If a data subject gives its consent to an organization, the organization must be able to demonstrate when and how that data subject gave consent.

Because consent must be freely given, organizations can no longer use automatically checked boxes to demonstrate that data subjects gave consent for the organization to use their data. The consent process must be clear and sometimes it must be separate. For example, if an organization is going to use email to send marketing messages to a data subject, then an organization might choose to have a separate box for email than it does for other forms of communication or text messages or phone calls.

The legal basis for processing is also important because it has a significant impact on the way that an organization responds to data subject rights requests. There are some rights that may be granted if consent is the legal basis for processing or if performance of a contract is the legal basis for processing. There are other implications for legal basis of processing as well. For example, the processing of special kinds of data which include: race, ethnicity, healthcare data, biometric data, among other sensitive pieces of information requires certain bases for processing.

Another challenge for the legal bases for processing is if an organization uses multiple bases to process different data sets. For example, an organization might process the personal data of EU data subjects who are employees of the organization and also of customers who its selling services to and is also marketing to. The legal basis for processing employee data may be different than the legal basis for processing customer data. An organization should make sure that they can distinguish between which legal bases is being used for processing to ensure that they respond correctly to data subject rights and to ensure that they perform any balancing tests related to legitimate interests. Finally, it should be noted that organizations can’t select which legal basis they are using to process data and then later change the legal basis if they use both consent and contract. There must be only one basis for processing personal data at a time.

Here are some more notes on the legal bases for processing personal data. First, the legal basis for processing personal data must be established before processing begins. Organizations can’t start processing personal data and then go back and try to execute contract, obtain consent, or claim legitimate interest. Second, one legal basis for processing isn’t necessarily superior to other legal bases for processing. The most effective legal basis for processing depends on the purpose for processing and the relationship with the data subject.

GDPR Fundamentals: Data Subject Rights

GPDR is such a revolutionary law because its focus is so heavily on the data subjects and protects personal data not only in the shape of security, but also in privacy. The law actually gives data subjects seven rights, outlines in Chapter 3. These seven rights of data subjects ensure transparency between data subjects and those organizations that are processing their personal data and include:

  1. Right to access
  2. Right to rectification
  3. Right to erasure
  4. Right to restriction
  5. Right to data portability
  6. Right to object
  7. Right in relation to automated decision-making

There are conditions and exceptions to every right, so there’s a lot to learn. Let’s discuss these seven data subject rights and how organizations should respond when a data subject exercises any of those rights.

Right to Access

In Article 15, you’ll find the first data subject right: the right to access. This right gives data subjects the ability to confirm whether or not a controller is processing their personal data. This data subject right also entitles data subjects to obtain the controller’s purposes for processing, categories of the personal data being processed, third parties who receive their personal data, data retention policy, and other information.

Right to Rectification

A key component of GDPR is accuracy. The law requires that controllers and processors maintain the accuracy of personal data, but the data subject right in Article 16 also brings data subjects into this process. The right to rectification gives data subjects the right to dispute the accuracy of their personal data being processed by controllers. Data subjects can request that inaccurate data be corrected, which could require supplementary information to ensure accuracy.

Right to Erasure

The right to erasure, or the right to be forgotten, gives data subjects the right to have a controller delete their personal data. This isn’t an absolute right; just because a data subjects asks that their data be deleted doesn’t mean that a controller has to delete that data. There are five circumstances in which a controller might delete personal data, including:

  1. If the data was processed unlawfully
  2. If the organization no longer needs the data for the purposes that it originally collected the data
  3. If there is a legal requirement to delete the data
  4. If a data subject gave access to their data based on consent and they have withdrawn that consent
  5. If a data subject has objected to the processing of their data and requested that their data be deleted

The right to erasure is tricky, though. If even one of those five conditions exist for deleting personal data, a controller may still have a reason to maintain that data. For example, if there is a requirement from the EU to maintain that data, if there is litigation regarding that data, or if a controller needs to maintain that data for historic or scientific purposes, then a controller may not have to delete that data. So, a controller must first determine if a valid ground exists to delete the data, and determine whether there is an exception.

Right to Restriction

Article 18 outlines a fourth data subject right, the right to restrict processing. Why would a data subject exercise their right to restriction? They may be challenging the controller’s accuracy of their personal data, challenging the lawfulness of the processing activities, or challenging if the controller needs the data for the original purpose.

Restriction may be achieved one of several ways: it can be deleted, restricted, sequestered, or suppressed. If a controller grants a request for restriction, not only does the controller have to restrict the processing, but it should also notify processors and other third parties that a restriction request has been granted.

Right to Data Portability

Data subjects have the right to data portability, meaning that they can obtain their personal data from a controller in a structured, commonly used format, and have the right to transmit that data to another controller without hindrance. There are three conditions that have to be met for a valid portability request, including:

  1. The data subject directly gave their personal data to a controller
  2. The legal basis for processing is consent or performance of a contract
  3. The controller is using automated means to process the personal data

If all three of these conditions are met, then a controller must provide either the data subject or the data subject’s request for another controller with a copy of their personal data in a commonly used format.

Right to Object

Data subjects have the right to object to processing activities. Data subjects may object to any processing of their personal data by a controller if that processing is based on legitimate interest and there are not any overriding reasons to reject the data subject’s request for objection.

Right in Relation to Automated Decision-Making

The final data subject right given by GDPR is the right to object to automated decision-making, including profiling. Data subjects may request human intervention in cases when a controller uses automated processes to make a significant or legal decision, but controllers can reject these requests based on certain conditions. If the objection to automated decision-making is granted, the controller must suppress or restrict the personal data that was used in the automated process.

Responding to Data Subject Rights

When a data subject exercises any of their rights under GDPR, controllers have one month to respond to the request. They can either grant that request or respond by giving the reason for denial. Controllers cannot charge data subjects for exercising their rights unless they find that the request is unfounded or excessive. Controllers should always ensure that they are documenting names, dates, the nature of requests, investigations, and responses to data subjects’ requests so that, at any time, they can demonstrate proof that it was properly received and responded to.

More GDPR Resources

GDPR Readiness: Are You a Data Controller or Data Processor?

What is GDPR Personal Data and Who is a GDPR Data Subject?

The Cost GDPR Non-Compliance: Fines Penalties

Video Transcript

GDPR presents personal data not only in the form of security, but also in the form of privacy. Specifically, GDPR gives data subjects certain rights. We’re going to talk about seven of those rights; both the nature of the rights and the processes that organizations should use to respond to data subjects requesting to exercise one of those rights.

First, the right to access. This right gives data subjects the ability to confirm whether an organization is processing their personal data. It gives data subjects the ability to receive a copy of their personal data and it gives data subjects the right to certain information on processing activities, including the nature of the processing activities, the purposes, third parties who receive their personal data, data retention policies, and other information.

The second right is the right to rectification. This gives data subjects the right to contest the accuracy of their personal data being processed by an organization. One of the processing principles of GDPR is accuracy. The law not only requires organizations to maintain accuracy on their own, but it also allows data subjects to be involved in that process. Data subjects can request that inaccurate data be collected, and data subjects can also provide controllers with supplementary information to ensure that incomplete data is brought to completion or brought to currency.

The third right is the right to erasure. This right is also known as the right to be forgotten and gives data subjects the right to have an organization to delete, in total or in partial, their personal data. This right is not a complete and absolute right, which means that just because a data subjects asks that their data be deleted, doesn’t mean that an organization must delete that data. There are five circumstances in which an organization might delete personal data. 1) If the data was processed unlawfully; 2) If the organization no longer needs the data for the purposes that it originally collected the data; 3) If there is a legal requirement from the EU to delete data; 4) A data subject gave their personal data based on consent and they have withdrawn that consent and requested that their data be deleted; 5) A data subject has objected to the processing of their data and requested that their data be deleted.

However, even if one of those five grounds exist for deleting personal data, an organization still might have reasons to maintain that personal data. One of those reasons is that if there is an EU requirement to maintain that personal data. Another ground is if there is litigation or legal defense regarding that personal data. A third and final reason is if an organization needs to maintain that data for historic or scientific purposes. So, for the right to erasure, an organization must first determine whether or not a valid ground exists to delete the data. Secondly, an organization must determine whether or not there is an exception to the requirement to delete that data.

A fourth right given to data subjects by GDPR is the right to restriction. There are four reasons for an organization to grant a request for restriction. First, if a data subject is challenging the accuracy of their personal data, an organization may also restrict processing that personal data until the issue regarding the accuracy is resolved. Second, if the organization no longer needs the personal data for the original purpose, but they do need that personal data to maintain a legal defense, then they can restrict processing with the exception of using that data for litigation purposes. Third, if the data subject is challenging the lawfulness of the processing, then the organization may restrict the processing until the issue of lawfulness is resolved. Fourth, if a data subject has objected to data processing, the organization may restrict processing until the objection for processing is resolved.

Restriction may be achieved one of several ways: it can be deleted, it can be restricted, sequestered, or suppressed.

As with the other data subject rights, if an organization grants a request for restriction, not only does the organization have to restrict the processing of personal data itself, but it should also notify processors and other third parties who receive the personal data that a restriction request has been granted.

Once an organization has reviewed a request for restriction and determines that it has a valid basis for processing the data, the organization may lift the restriction. Before it does so, it must notify the data subject in writing prior to lifting the request for restriction. There are several grounds for which an organization may lift that restriction: if it determines that that data is accurate, if it determines that it has a lawful basis for processing, if it determines that the objection request is not valid, or if it determines that it does need the data for the original purpose that it was collected.

There are four additional grounds that give an organization the ability to lift a restriction: if the data subject gives consent, if there’s a need to maintain a legal defense, if there’s a need to protect a third party, or if there’s important public grounds for the EU or a member state. It should be noted that data storage processing activities are not subject to restriction request.

A fifth right that GDPR gives data subjects is the right to data portability. There are three conditions that have to be met for a valid portability request: the data subject has to have directly given their personal data to an organization, the legal basis for processing has to be consent or performance of a contract, and the organization has to be using automated means to process the personal data. “Automated” implies anything that’s not paper. If all three of those conditions are met, then an organization must provide either the data subject or the data subject’s request for another controller with a copy of their personal data in a commonly used format. Examples of commonly used formats include: XML, CSV, and JSON.

A sixth right that GDPR gives data subjects is the right to object to processing activities. This right is broken down into both the right to object and the right to object to automated decision-making. First, we’ll talk about the right to object generally. Data subjects may object to any processing of their personal data by an organization if that processing is based on legitimate interest and there are not any overriding reasons to reject the data subject’s request for objection. The easiest right to handle of all is the right to handle the objection to direct marketing. In this case, there are no objections and there are no exceptions. If a controller receives an objection to direct marketing, the controller must – as soon as practically possible and within the required time frame – cease marketing to that data subject. Again, there are no conditions and there are no exceptions.

The final right is the right in relation to automated decision-making, including profiling. GDPR gives data subjects the right to object to automated decision-making and requests for human intervention in cases where an organization uses automated processes to make a significant or legal decision, such as employment or the extension of a loan. In those cases, a data subject can request a human be involved in the decision-making process. Organizations can reject requests for human intervention on automated decision-making if the data subject gave consent for such automated decision-making, if that automated decision-making is based on the performance of a contract, or if there is an EU legal requirement or mandate that gives the organization the ability to process the data automatically. If the objection to automated decision-making is granted, the organization must suppress or restrict the personal data that was used in the automated decision.

Now that we’ve talked about some of the rights that GDPR gives to data subjects, let’s talk about the process of responding to these rights. First, timeframes. Controllers have one month to respond to a data subjects request – either to grant that request or to respond in writing giving the reason for denial. GDPR does give organizations a one-time two-month extension. If organizations are going to use that extension, they must respond to a data subject within one month in writing, giving the data subject the reason for the delay. Additionally, organizations may not charge data subjects for exercising their rights under GDPR unless an organization determines that the request is either unfounded or excessive. In that case, an organization may either deny the request or charge only the administrative costs for responding to such requests. Organizations should ensure that they are documenting names, dates, the nature of requests, investigations, and responses to such requests so that if a data subject challenges their timeliness or a supervisory authority investigates a data subject’s request, an organization can demonstrate proof that it’s properly received and responded to such data subject requests.

GDPR Fundamentals: The Basics of the Law

Have you been clicking “Accept” on a lot more sites asking for consent to use cookies? Did you receive a flood of updated privacy policies from brands you are subscribed to? Have you noticed that companies who’ve been recently breached are giving out a lot more information about the event than they normally would? There is a reason for all of this, and it’s GDPR.

What is GDPR?

Born out of sophisticated cyber threats, technology advances, and concerns about data misuse, the European Union’s General Data Protection Regulation (GDPR) is not just one of many other data protection frameworks or requirements. This law is the top regulatory focus of 2018, even among US companies, and is considered to be one of the most significant information security and privacy laws of our time. The law gives data subjects rights over their personal data and establishes obligations for any organization around the world that is processing the data of an EU data subject, making the applicability of the law follow data rather than following a data subject or physical location. GDPR requires all data controllers and data processors that handle personal data of data subjects to apply appropriate security and organizational measures in order to safeguard the confidentiality, integrity, and availability of processing services. GDPR was enacted in 2016 and became enforceable on May 25, 2018.

What are the Consequences of Non-Compliance?

Organizations who have grown used to being slapped with minor fines for data breaches or data misuse may be shocked to hear that GDPR sets forth two tiers of fines, with the lower level charging up to €10 million or 2% of a company’s annual global revenue, whichever is greater. The lower level tier is imposed for breaches of controller or processor obligations, and the upper level is imposed for breaches of data subjects’ rights and freedoms. The upper level tier fines up to €20 million for violations or 4% of a company’s annual global revenue, whichever is greater.

Let’s take a look at a few examples of how non-compliance could impact an organization.

  • In 2017, Hilton Hotels & Resorts was fined $700,000 for a data breach that impacted over 350,000 cardholders. That’s a fine of just $2 per person affected by the breach. Considering that Hilton’s annual global turnover for the previous year was $10.5 billion, the company could have been fined a maximum of $420 million for the breach under the GPDR’s harshest fine. That’s a fine of $1,200 per person affected.
  • Between 2013 and 2014, 3 billion Yahoo user accounts were breached. Yahoo did not disclose the severity of the breach until 2017, thus failing to meet the 72-hour notification requirement established by GDPR. Because Yahoo’s revenue exceeded $4 billion in 2012, the company could have been fined between $80 million – $160 million if GDPR was in effect at the time of the breach.

Not only are the requirements and scope for GDPR extremely broad, but the fines and penalties that organizations could face due to non-compliance are unlike any fines and penalties imposed by a regulatory body before. This is why understanding this revolutionary data privacy law is so important.

Have more questions? Watch more from our GDPR Fundamentals series or contact us today to get started on your GDPR compliance journey.

More GDPR Resources

What is GDPR Personal Data and Who is a GDPR Data Subject?

Which GDPR Requirements Do You Need to Meet?

10 Key GDPR Terms You Need to Know

The Cost GDPR Non-Compliance: Fines Penalties

Video Transcript

Welcome to the KirkpatrickPrice video series on the General Data Protection Regulation. At KirkpatrickPrice, our vision statement is to educate, empower, and inspire. In this video series, we will educate you regarding the General Data Protection Regulation, empower you to take the actions that your organization needs to become compliant, and inspire you to maintain compliance throughout the duration of your processing activities. The General Data Protection Regulation is a law that was enacted in 2016 and became enforceable on May 25, 2018. The law gives data subjects rights over their personal data and establishes obligations on any organization around the world that is processing the data of an EU data subject. The law sets forth fines of up to €20 million for violations or 4% of a company’s global revenue, whichever is greater. That’s the reason that knowing and following the law is so important. Join us in this series as we help you comply with GDPR.