The GDPR is now in force in all EU Member States.
The impact of the GDPR on how organisations process personal data is substantial, requiring a strong organisational attitude (and perhaps investment) to get ready and maintain ongoing compliance. Organisations need to adopt a logical and harmonised approach to GDPR across all their departments and operations.
Organisations must bear in mind that Individuals rights are considerably strengthened in terms of data privacy, which they can now enforce directly against organisations.
The most profound changes include:
- Organisations are now required to apply the principles of ‘privacy by design’ and ‘privacy by default’ into their operational processes, and in the integration of new technologies, products or services;
- Organisations are now obliged to undertake Privacy Impact Assessments (PIAs), and in some cases Data Protection Impact Assessments (DPIAs);
- New rights, such as data portability and a right to be forgotten, were added to the list of those already existent in previous data protection legislation;
- Enshrined in the GDPR is now a new requirement to notify the data protection supervisory authorities (SARs) if a data breach takes place;
- Heavy fines are in place for non-compliance of up to EUR 20,000,000 or (if higher) 4% of the global annual turnover (worldwide) of the organisation; and
- A new approach to the processing of children’s data and special rules around profiling.
The GDPR is not only the single most-talked-about piece of legislation in the world, but its application is also global, applying not only to organisations established in the EU but also:
- EU-based entities, in relation to their activities, irrespective of whether data is processed within the EU or outside the EU; and
- Organisations from outside the EU, about the offering of goods and services to EU resident data subject or the monitoring of their behaviour as far as their conduct (action or inaction), takes place within the EU.
(Relevant Articles: Art. 2, Art. 3, Art. 4, Art. 27)
The GDPR legal environment
Direct effectiveness: The GDPR takes direct legal effect in all Member States. Unlike a Directive, there is no need for transposition into the national law. It was Immediately applicable and enforceable by law in all Member States on the 25th May 2018. Member States issued national legislation defining the competent local authorities, inspection and sanctions on the subject matter.
The principle of priority: The GDPR takes precedence over any conflicting legislation that may exist in any Member State national law (including sector-related regulations).
Sector regulations: The GDPR allows EU member states to adopt any additional laws (supplementary law) in specifically defined areas (e.g. in the field of employment law). These local laws can provide further regulation to the principles of protection in the GDPR.
Delegated acts: The GDPR allows the European Commission and the European Data Protection Board (EDPB) to adopt delegated and implementing acts in specific areas. The EDPB replaces the Article 29 Working Party.
The European Commission has a website dedicated to providing guidance and information on GDPR. To view the site, please click here.