As the clock ticks closer to May 25, 2018 when the EU’s GDPR will be enforced officially, the overarching effects on organizations that process data from any EU nation will be felt more among the unprepared. This has assumed greater importance because of the sensational breaches that are being reported with alarming frequency. It’s worth noting that Brexit will not affect GDPR’s enforcement in the UK. Here is a quick fact check that will help businesses get additional information which can then serve as a springboard for further queries and clarifications.
What are the penalties? On whom are they imposed?
The penalties are two-tiered and are covered under various articles that deal with specific violations or infringements. To put it quite simply, the two thresholds are:
- Infringement of key provisions of GDPR which attract a fine ‘upto £20 million or 4% of global annual turnover, whichever is higher’. Here, for the purpose of calculations, the global annual turnover of the preceding year will be taken into account.
- Infringements of a less severe nature, like procedural violations, which attract a fine ‘upto £10 million or 2% of global annual turnover, whichever is higher’. Here, for the purpose of calculations, the global annual turnover of the preceding year will be taken into account.
Entities that deal with data from the EU are divided into two categories, Data Processors and Data Controllers. Administrative fines, if imposed, are applicable to either or both of the entities.
Are there any accountability requirements as part of compliance? Specifically, what is Art 33?
Yes. The compliance aspect is very clear on businesses demonstrating ‘reasonable’ actions to comply with data protection requirements. Specifically, this needs to be recorded in data processing registers. Businesses need to maintain records that prove the existence of robust measures to safeguard data. Art 33 is more commonly known as the notification of data breach. It simply means that whenever a data processor becomes aware of a breach of personal data, the same needs to be notified to the data controller and thereupon to the supervising authority not later than a period of 72 hours. The issue that most businesses will face here is the absence of clear internal processes that need to be followed to ensure that the breach is notified to the supervising authority within the mandatory 72 hours.
What are the obligations of a Data Processor and a Data Controller?
GDPR Article 28 deals with the obligations of a data processor. It spells out exhaustively all obligations, some of which include the following:
GDPR Chapter 10 deals with the obligations of a data controller, some of which are listed below:
What exactly is the right to be forgotten?
Article 17 of the GDPR spells out the right to be forgotten or the right to erasure. To put it quite simply, it means that individuals have the right to request that certain data be erased or removed from systems. This will be applicable on certain grounds, for instance, if the data is no more required for the original reason or reasons for which the data was collected. This might actually appear to be one of the more easiest of the obligations. However, businesses need to be aware that data may be residing anywhere on the processor’s databases. Locating every single field of data and securely erasing might be a nightmare, depending on the nature of the data. Failure to erase and furnish proof of erasure is liable to be treated as an infringement.
GDPR, as a regulation standardizes the compliance requirement, and will also offer a layer of protection to the processing entity from claims and complaints if the entity is compliant and following all regulations to the letter. There needs to be greater responsibility while handling sensitive information, including personal data and organizations need to be ready with a risk adaptive approach that works in tandem with regulatory compliance for greater security.
DNS has partnered with LawBite who are business law experts to help you understand your GDPR requirements and provide you with the necessary products and services to help your organisation become GDPR compliant before the deadline of 25th May 2018.