This article was updated on July 6, 2018.
The European General Data Protection Regulation (EU GDPR), the most significant change to data protection in three decades, became effective on May 25, 2018. The regulation intends to strengthen individual data and privacy protection for individuals residing within the EU. Additionally, it intends to simplify the regulatory framework for international business by unifying data and privacy regulations. It replaces the Data Protection Directive from 1995.
Regulation vs. Directive
One key feature of this sweeping change is that the EU GDPR is a regulation replacing a directive. Regulations apply directly to each member state in the EU, whereas with a directive, each member state has discretion as to implementation of data protection regulation. Thus, with the regulation implementation, which itself offers stringent data and privacy protection, it can also offer a simplification of regulatory framework across the EU through unification of data and privacy regulations. This will eliminate inconsistencies among local laws and reduce administrative costs and burdens for international businesses when interacting with multiple data and privacy protection authorities.
Newly Expanded Jurisdiction
Another key feature under the regulation is the newly expanded jurisdiction, which could impact businesses based outside the EU. Under the former Data Protection Directive, a business was subject to the data protection law only if it was located in an EU country or used equipment in an EU country to process data. However, the new regulation also applies to any business that offers goods or services to individuals in the EU or monitors such individuals' behavior (such as operators of commercial websites or mobile apps). This is a broad expansion of the requirements that will affect many more organizations across the globe.
Consent will continue to be a requirement for processing personal data under the GDPR, but it sets forth stricter conditions for consent. As GDPREU.org notes, these conditions are defined as "any freely given specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed." For children under age 16, parents must give consent for processing their children's personal data, although an EU member state may choose to lower that age to 13 at its discretion.
New Rights Established
The EU GDPR has also created two new individual privacy rights — "right of erasure" and "right of portability." The right of erasure, an expansion of the "right to be forgotten," gives individuals the ability to have their personal data erased upon request, notes the Information Commissioner's Office (ICO). The right of portability gives individuals the ability to access their own data with greater ease, notes ICO. Upon request, individuals will be able to transfer their personal data from one provider to another. The transfer of such data should promote ease of access among individuals and competition among providers.
The GDPR continues enforcement through the supervisory authorities and the courts, with penal and administrative sanctions in addition to civil remedies. However, the GDPR increases administrative penalties up to a maximum of EUR 20 million or 4 percent of the annual revenue of the organization, depending on the facts and circumstances of the case, according to the International Association of Privacy Professionals.
Steps to Take Toward Compliance
Many businesses haven't been subject to the EU data and privacy laws before, and many details as to scope and implementation still aren't clear. However, for all businesses operating in Europe, or offering, selling to or monitoring European individuals, here are steps you can take:
- Review the GDPR in-depth with all available guidance
- Understand the broad scope of personal data under the GDPR
- Create, update or review documentation for personal information and security practices
- Create, update or review documentation for policies and procedures for breaches, incident reports and risk assessments according to GDPR
- Create, update or review any required contract and agreement language
- Determine if hiring a cloud-based HR provider would serve your organization's best interest in mitigating risk of noncompliance with GDPR
HR leaders should also take note of the fact that U.S. citizens living in the EU will be protected by the GDPR, but citizens of the EU who live and work outside of the EU jurisdiction are not protected by these regulations.
Although many organizations have adopted data and privacy measures consistent with the Data Protection Directive, the GDPR contains new protections and expansive measures — for organizations within the EU and beyond — that require additional compliance measures.