The General Data Protection Regulation (GDPR) is an important change regarding data privacy.
The major motivation of EU legislators is to give back control and access to citizens regarding their own data, their personal data. In the meanwhile, another objective of the regulation is to unify the data regulatory environment within the EU.
The effect on business and data management is worldwide. Every company that process personal data of EU citizens have to respect GDPR.
Adopted on April 27, 2016 to be applicable on May 25, 2018, the GDPR provides extremely dissuasive sanctions:
- Up to 10 million euros or, in the case of a company, 2% of the global annual turnover for breaches including Privacy By Design, Privacy By Default, PIA, etc. ;
- Up to 20 million euros or, in the case of a company, 4% of worldwide annual turnover for breach of rights, including rights of persons (rights of access, rectification, opposition, cancellation, right to be forgotten, etc.).
In each case, the highest amount is the one taken into account.
Do not panic !
Since 1995, you have complied with the principles of Directive 95/46 / EC (the "Data Protection Directive"). The 7 principles set out by the GDPR are similar even though, in fact, the list of obligations is a little bit longer.
Indeed, certain aspects of the GDPR are new compare to the Directive (below in bold).
1. Lawfulness, loyalty and transparency
Personal data must be treated lawfully, fairly and transparently with regard to the data subject.
Right to be forgotten
GDPR Article 17: "The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay"
Right to portability
GDPR Article 20: "The data subject shall have the right to receive the personal data concerning him or her [...] in a structured, commonly used and machine-readable format"
2. Limitation of purpose
Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes. The further processing of personal data for archival purposes in the public interest, or for statistical purposes, scientific research or historical, is not considered incompatible with the initial purposes of the treatment. However, the conditions set out in Article 89 (1) (which lists the guarantees
and derogations related to treatment for such purposes) must be satisfied.
3. Data minimization
Personal data must be adequate, relevant and limited to what is necessary for the fulfillment of the purposes for which those data are processed.
4. Accuracy and data quality
Personal data must be accurate and up-to-date; all reasonable steps must be taken to ensure that inaccurate data, with regard to the purposes for which they are processed, are erased or rectified without delay.
5. Limitation of the shelf life
Personal data must be kept in a form which allows the identification of the persons concerned (the Data Subject) for a period not exceeding that necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods of time
provided that they are processed exclusively for archival purposes in the public interest, for scientific or historical research purposes, or for statistical purposes, in accordance with Article 89, provided that the appropriate technical and organizational measures are implemented.
Storage Limitation & Data lifecycle
GDPR Article 5.1.e / 25: "[Personal data shall be] kept in a form which permits identification of data subjects for no longer than is necessary" "That obligation applies to [...] the period of their storage and their accessibility."
Right to access to personal data
GDPR Article 15.3: "The controller shall provide a copy of the personal data undergoing processing"
6. Security, integrity and confidentiality
Personal data must be processed in a manner that ensures the appropriate security of such data, including protection against unauthorized or unlawful processing, loss, destruction or accidental damage to the data. appropriate technical or organizational measures.
Pseudonymization & Anonymization
GDPR Article 25.1: "The controller shall [...] implement appropriate technical and organisational measures, such as pseudonymisation"
Data loss prevention
GDPR Article 32: "The controller and the processor shall [...] restore the availability and access to personal data in a timely manner in the event of [... ] a technical incident"
Data loss detection
GDPR Article 33.1: "In the case of a personal data breach, the controller shall without undue delay [..] notify the personal data breach to the supervisory authority"
The controller is responsible for compliance with these principles and must be able to demonstrate that they are being respected.