The Global Context of The GDPR Compliance
This article aims to provide an insight into the extraterritorial scope of the Global GDPR 2018. The fundamental aim of the regulation is to strengthen data privacy rights of European Union (EU) citizens, whilst imposing stringent obligations on companies that process personal data and consequently imposing stronger regulatory powers.
Though the Global GDPR is an EU law, there are circumstances to which it can apply to companies across the globe. In this, regardless of the company’s location, a processor/controller processing personal data related to EU citizens must also comply with GDPR requirements. In addition, it does not exclusively apply to EU citizens as the regulation concerns the territory of the EU and not only EU member states and its nationals. Therefore, a Chinese person on holiday in France would be covered by the GDPR, whereas a Dutch person located in China would not.
- Overview of GDPR
- Right to Access/ Right to Rectify
- Right to Erasure
- Right to Lodge Complaint/ Non-Compliance
- Data Breach
Overview of Global GDPR
The Global GDPR is an EU data regulation law that aims to protect personal data, enforce transparency, accountability and restrict data exploitation. The GDPR requires data processors and data controllers located in the EU, companies that supply goods and services to individuals in the EU and/ or companies with workers in the EU to abide by the regulation.
Data controllers are people or organizations that determine the purposes and means of processing personal data whilst data processors process personal data on behalf of the controllers. In this, companies that have no direct business operation in any of the 28-member states of the EU but have a web presence, will also have to implement GDPR into their privacy policies.
This is because personal data or behavioural information is being collected and if those individuals are EU residents, then the company is subject to the requirements of GDPR.Compliance includes maintaining documentation on processing activities, doing a ‘data protection impact’ assessment and a risk mitigation. This will identify security measures such as encryption, that should be put in place to achieve the highest level of security possible.
What counts as Personal Data
The definition of personal data has gone beyond the ordinary meaning. The GDPR now defines personal data as ‘information relating to an identified or identifiable natural person’. This definition has been expanded to reflect the type of data organisations collect. This is because a person can be identified from location data, online identifier or other factors such as physical, physiological, mental, cultural, economic or social identity of the person. This also includes, but not limited to IP addresses, cookies, and social media posts.
With the introduction of the GDPR, consent must be accessible and distinguishable. International organisations need to acquire legitimate consent to process personal data of EU residents, as consent must be an informed act by the individual. Therefore, it is essential that consent is written in a language that is precise and clear. For example, a pre-ticked text box will no longer be an adequate method of obtaining consent. In addition, the data subjects most also be informed of their right to withdrawal consent at any time.
Right to Access/ Right to rectify
The Global GDPR gives EU Citizens the right to access the data in which an organisation holds on them. The organisation must provide, upon request, an overview of the categories of data that are being processed, individuals that have access and the specific purpose for the processing. The data controller must inform the data subject within one month. Further requests may include how long the information is stored for and who has access to it.
The Global GDPR also requires that companies use plain and simple language to convey things clearly such as the terms and conditions. Furthermore, data subjects have the right to modify any personal data retained about them. Companies are expected to provide a secure process in which individuals can have direct access to their data.
Right to Erasure
Data subjects have the right to request to be forgotten. This means that all personal data related to them should be completely erased. This right also applies when data is no longer required for any legitimate reason. Organisations should implement periodic reviews to check if personal data is relevant/ eligible to be erased and thus facilitate deletion requests. In addition, both technical and organizational measures must be used to ensure data is disposed securely.
Right to Lodge Complaint/ Non-Compliance
The Global GDPR gives data subjects the right to lodge a complaint to the supervisory authority if they have reasons to believe that the processing of their personal data infringes the GDPR. The supervisory authority is then obligated to investigate accordingly. The supervisory authority is expected to communicate the progress or outcome of the complaint within 3 months. If the relevant supervisory authority does not inform of the progress, reject or dismiss the complaint within the time frame, the data subject has a right to judicial remedy.
Failure to comply with the regulation may result in big financial penalties. The supervisory authority can fine controllers and processors up to 4% of their annual turnover of the preceding year, for non- compliance. There is a greater emphasis on being able to demonstrate compliance to a regulator. For organisations this means companies are required to develop a privacy compliance plan that can be inspected. The safest approach is for companies to comply with the highest standards by setting up internal procedures and protocols.
The regulation specifies that when a breach has occurred, data controllers must notify the relevant supervisory authority and the data subjects affected. There is a maximum time limit of 72 hours once a data processor has become aware of a breach. The description of the data breach must be clear and accurate. Furthermore, companies must consider improvements to the security measures to avoid further data breach.
In conclusion, the Global GDPR is a step in the right direction to ultimately safeguard against data exploitation. The rights highlighted above are important factors in complying with the GDPR and must be adhered to by organisations across the globe that deal with customers based in the EU. Given the significant financial consequences for noncompliance it is imperative that companies all over the Globe, evaluate their business and how it relates to EU citizens.
The information contained in this article is valid on October 8th, 2018. For updated information, please contact us via email at firstname.lastname@example.org.