GDPR: General Data Protection Regulation
Just another law on privacy?
The European General Data Protection Regulation (GDPR) published in May 2016, replaces the previous “Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data” by the European Community. Unlike the previous directive, it is a regulation which, due to its direct legal effect, does not have to be implemented by a patchwork of national laws in the member states.
Citizens should now be entitled to a uniform level of protection of their personal data throughout the EU. This means that the movement of goods is less disturbed and the average level of protection is raised in general.
As of May 25th 2018, the GDPR is directly applicable and national laws should only develop on it in minor details. On February 1st 2017, the German federal government adopted a draft law for such an amendment (DSAnpUG-EU). The resulting new Federal Data Protection Act (“Bundesdatenschutzgesetz”, i.e. BDSG-neu), however, can be criticized as beeing too long with 85 paragraphs and conflicting with European law (repetition of GDPR and reduction of data protection in some areas). It remains exciting to see whether this adaptation act will be adopted by the Bundestag and Bundesrat on March 8th 2017, or whether more changes are will be made.
Facts: That is new about it
The basic concept of data protection of the previous directive remains intact. The GDPR pursues the informational self-determination and, hence, extends the rights of affected natural persons by the following items:
- In the case of a leak of protected data, affected persons and supervisory authorities must be notified within 3 days (if the data has not been encrypted or pseudonymized)
- More stringent requirements for legal approvals by the data subjects (double opt-in)
- Extended right of access. For example, data processors must be able to specify all the parties involved as well as a particular data protection officer, for each act of data processing.
- Right to data portability (for transferability in case a service provider is to be replaced)
- Right to be forgotten (data erasure)
According to the location-of-business principle all companies which process data of EU citizens are affected by the GDPR. This even applies to companies that do not have a branch in the EU. A great deal of work is to be done here, especially in case of companies operating from outside of the EU territory, because the scope has been extended considerably.
For EU-based companies, the provision of services and products across the EU will be somewhat easier, because ideally, many national implementation laws based on the old data-protection directive will no longer be applicable, and in fact only the GDPR will have to be observed.
For companies that have to comply with the GDPR, the fine for violations can be considerable: Up to 20 million euros or four percent of global (!) annual turnover (whichever is the higher) are possible verdicts per individual violation!
In times of Big Data and IoT, the collected and processed data volumes are growing everywhere. Finally the closed company boundary has become a concept of the past. Both factors make the protection of these large amounts of data less than trivial.
What companies should do next
Corporations have just a bit more than a year to check their activities for compliance with the GDPR and establish a compliance plan. The regulation itself recommends “data protection by design” and data “protection by default”.
Since, for example, the notification requirement in case of a data leak only applies to unencrypted data, it is advisable to use encryption wherever possible. Disk and database encryption should become standard. In addition, format-preserving encryption provides an additional option of introducing end-to-end encryption without necessarily having to make changes to existing intermediary systems.
- GDPR in full length
- GDPR Assessment
- derPUPE: Datenschutzgrundverordnung: Rechte für Menschen, Pflichten für Firmen & Chancen für uns. (Vortrag auf dem 33C3)
- SecureLink: How to prepare for the GDPR (General Data Protection Regulation)?
- Gesetzentwurf der Bundesregierung: Datenschutz-Anpassungs- und -Umsetzungsgesetz EU – DSAnpUG-EU
Impact of the GDPR on HR and Recruiting:
Image: ©iT-CUBE SYSTEMS AG 2017