Operational impacts of GDPR
There are significant changes to Europe’s data protection regime under the GDPR, but the introduction of heightened fines and a robust enforcement mechanism suggest that the Regulation’s provisions should be taken seriously.
With new obligations on such matters as data subject consent, data anonymization, breach notification, trans-border data transfers, and appointment of data protection officers, to name a few, the GDPR requires companies handling EU citizens’ data to undertake major operational reform.
The most important operational impacts on an organization due to the new regulatory framework are:
Data security and breach notification
GDPR enhances security of data processing standards, “personal data breach” notification standards and harmonization.
The (mandatory) Data Protection Officer
GDPR acknowledges value of “privacy on the ground” by requiring designation of a Data Protection Officer. Data Controllers and Data Processors MUST appoint a DPO if they are Public authorities or their core activities require “regular and systematic monitoring” of data subjects on a “large scale”; or “large scale” processing of personal data or criminal records.
GDPR enhances requirements for obtaining data subject consent; mandates affirmative consent for data processing; requires explicit consent for special categories of personal data, and parental consent for processing children’s – individuals under 16 years old – personal data.
Cross-border data transfers
Under GDPR, transfers of personal data outside the European Union(EU) countries are restricted.
The GDPR restricts “profiling” and gives data subjects significant rights to avoid profiling-based decisions.
Right To Be Forgotten (RTBF) and data portability
GDPR enhancing existing individual rights and creating new rights such as the right to erasure and the right to be forgotten, a new right to data portability and enhanced rights to notice, access, rectification and to object to processing.
Controllers and Processors Management
The GDPR expands significantly upon the controller’s responsibility for processing activities and sets out specific rules for allocating responsibility between the controller and processor. The GDPR prescribes processors’ additional duties and restrictions on subcontracting. Also provides specific provisions in case of Joint controllers.
This new term refers to the technique of processing personal data in such a way that it can no longer be attributed to a particular data subject without cross referencing it with other further information. The further information must be kept separate and subject to technical and organisational security measures so as to ensure that the data subject cannot be identified.
Codes of conduct and certifications
Confirming each data controller’s or processor’s compliance with the GDPR’s many protections for data subjects would exceed the capacity of any regulator. The GDPR therefore endorses the use of codes of conduct and certifications to provide guidance on the GDPR’s requirements, signal to data subjects and regulators that an organization is in compliance with the Regulation, and offer third-party oversight as another check on controllers’ and processors’ data handling practices.
Consequences for GDPR violations
More than any new substantive right or complex procedure, the new GDPR measure most likely to draw attention from the organizations is the provision on penalties and fines. In a stark departure from previous privacy legislation in Europe or elsewhere, the GDPR authorizes regulators to levy remarkably steep fines in amounts exceeding 20 million euros
or 4% of annual global turnover
, whichever is higher.