The 28 countries of the European Union (EU) will have to comply as of 25th May 2018 by providing an action plan to ensure implementation within a period of 3 years. The GDPR aims to unify data protection in the EU (European Union). This regulation known by the acronym “GDPR” General Data Protection Regulation was adopted by the European Parliament in 2016.
Which companies are involved in the GDPR?
Whether they are data controllers or subcontractors, all public or private companies in the 28 Member States of the European Union that administer personal data in the course of their activities are concerned. The GDPR will also apply to non-EU-based companies as long as they collect personal data about EU residents.
ICO (Information Commissioner’s Office) is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
What are the key objectives and principles of the GDPR?
With respect to strengthening the protection of the personal data of European citizens, the main objectives pursued through this regulation are:
- Substantially consolidate the rights of citizens by giving them more control over their personal data.
- Introduce new rights for EU nationals (example right to portability of personal data, right to be forgotten).
- Empower the actors involved in the data.
- Increase awareness of data regulation through a system of penalties.
The key principles:
The GDPR only concerns the protection of data attached to natural persons (“data subject”). It frames the conditions of collection and use of so-called personal data. To pursue this objective, the GDPR is based on three main principles:
- “Privacy“: All hardware and software infrastructures must have integrated mechanisms for the protection of personal data.
- “Security by default“: Companies must ensure selective processing of personal data so that only the data that is strictly necessary1 for the use of the service is processed.
- “Accountability“: Companies must keep records that retrace the principles of security2 and that demonstrate that it meets the requirements for the security of personal data.
The GDPR does not apply to data relating to legal persons (companies) and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.
What is personal data?
Personal data means any data relating to a natural person identified or that can be identified directly or indirectly through this data. For example, email address, job activity, age and sex.
But then, what is sensitive data?
Sensitive data is the data that reveal, directly or indirectly for an individual, racial or ethnic origins, political, philosophical or religious opinions or trade union membership, or that are related to health or sexual orientation.
The effects of non-compliance
In case of non-compliance in the UK, the ICO may impose on the offender, depending on the infringement, significant fines up to 20 M €, or in the case of a company, 2 to 4% of the annual worldwide revenue (article 83 of the GDPR)
In concrete terms, how will the implementation of the GDPR go?
On the road to a true culture of data protection!
The implementation of the GDPR will result in the strengthening of corporate responsibility. Indeed, the ICO will ultimately have to ensure optimal data protection at all times and be able to demonstrate it by documenting their compliance. To achieve this, they will have to conduct a real compliance process, within a reasonable period of time.
The ICO takes action to ensure organisations meet their information rights obligations.
Actions taken by ICO to ensure organisations meet their information rights obligations are:
- Issue monetary penalties and enforcement notices
- Ruled on more than 8,500 freedom of information and environmental information cases since 2015
- Conducted audits and provided advisory and overview reports
- Provided self assessment reports and recommendations to organisations
For further information, we invite you to consult the documents below:
To successfully integrate the GDPR into your activity, we will publish in the coming days, a new article with all our recommendations. By consulting with it, you will be able to easily identify all the tools we put at your disposal to help you comply with this new law.
- For an application that does not need it, it will no longer be possible to access certain information on smartphones such as contacts in the directory, geolocation, camera.
- In particular, the consent of individuals to the collection and processing of their personal data must be clear and explicit. This consent may be withdrawn at any time.