On April 26, 2016, the European Union (“EU”) adopted the General Data Protection Regulation (“GDPR”) to enhance data protection rights for all individuals and unify regulation within the EU. GDPR will be implemented on May 25, 2018 after a two-year transition period.
GDPR extends EU data protection authority to all foreign companies processing data of EU residents. Data protection and privacy requirements will now be mandatory for businesses dealing with data of EU citizens.
The following sanctions can be imposed for non-compliance:
- For first time violators and non-intentional compliance, a written warning;
- Mandatory periodic data protection audits;
- A fine up to 10,000,000 EUR or up to 2% of the annual worldwide turnover of the preceding financial year in the case of an enterprise, whichever is greater;
- A fine up to 20,000,000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is greater.
- Full scope of administrative penalties in addition to civil remedies from injured parties.
Key requirements of GDPR include:
- Data Protection Officers (DPO): DPOs must be appointed where the core activities of the organization involve “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data.”
- Data Transparency: GDPR requires certain information be made available at point of data collection. This may include the identity and contact information of the organization/DPO, the purpose and legal basis of the data processing, and the rights afforded to the data subject.
- Consent: A data subject’s consent must be freely given, specific and informative, and expressed by either a statement or affirmative action.
- Data Protection Impact Assessment (“DPIA”): Any organization whose activities are likely to result in a high risk to the rights and freedoms of individuals must conduct a DPIA before proceeding with the activity.
- Data Subject Rights: GDPR gives data subjects the rights to erasure, rectification, portability, and objection to processing.
- Data Security: Personal information must be pseudonymized and encrypted.
- Subject Access Requests/Data Portability: Individuals are permitted to request details regarding the information collected from them and how the data is being used. Data must be provided in a structured, commonly used, and readable format.
- Privacy by Design: Organizations are required to design privacy policies, procedures, and systems at the early stages of any product or process development.
- Data Export to Third Countries: Data can be transferred outside of the European Union under a Commission adequacy decision, standard contractual clauses, and binding corporate rules.
- Breach Reporting: In most cases, data breaches must be reported to the relevant data subjects and regulators without undue delay (within 72 hours, where possible).
Duff & Phelps Will Work to Embed Data Privacy into Your Firm’s Culture
- Analyze your firm’s current policies and procedures regarding data privacy
- Provide detailed recommendations for your firm to help prepare for GDPR
- Our team will work with you to update or draft your firm’s data privacy policies
- The GDPR Scoring Matrix will deliver recommendations that highlight security flaws in your environment and the steps needed to remediate the issues, in the following areas:
- Data collection Transfer and Portability (Consent, Privacy Program Management, Data Security, Data Breach Readiness and Response, Record Keeping)
General Data Protection Regulation and the Regulators’ Cybersecurity Agenda
Ian Manson Quoted in PFM: GDPR Compliance is Now Front and Center