The General Data Protection Regulations (GDPR) was implemented by the European Union (EU) on May 25, 2018 for the purposes of protecting the personal data of EU citizens. The GDPR is described as the strictest and most far reaching data protection regulation to date as it is extra-territorial in scope. In essence, the Regulations apply to entities who offers goods or services to EU citizens irrespective of whether such entities are located within or outside the EU. Any collection, use, storage or disclosure of the personal information of an EU citizen such as name or email address, would automatically trigger the compliance requirements under the GDPR.
One of the key elements of the GDPR are the number of rights granted to an EU citizen with regards to his personal information. The EU citizen has a right to be informed about the collection and use of his personal information as soon as practicable; the right to access or rectify inaccurate or incomplete personal information; the right to restrict processing of his personal information where the accuracy of the personal information is being contested; the right to be forgotten in circumstances where the personal information is no longer relevant; the right to object to processing of his personal information where such information is being processed for direct marketing purposes and, most importantly, the right to withdraw consent to the processing to his personal information. The rights of the EU citizens,however, are not absolute and are subject to a several conditions and exceptions outlined in the GDPR.
Organizations, which are subject to the provisions of the GDPR, must also ensure that they comply with a number of requirements imposed by the Regulations. Firstly, organizations must ensure that they obtain consent of the EU citizen prior to collecting, using, storing and disclosing of his personal information. Consent must be freely given, specific, unambiguous and shown either by a statement or a clear affirmative action which signifies agreement to the processing. The EU citizen must also be informed that he has a right to withdraw consent at any time.
Organizations are required to implement certain technical and organisational measures to ensure compliance with the GDPR. The implementation of data protection policies or appropriate systems for identifying and reporting data breaches would be recommended. Organizations are also required to process personal data in accordance with various privacy principles laid down in the GDPR.
Failure to comply with the requirements under the GDPR can result in an organization being subjected to severe penalties and fines. If found to be in breach, companies may be liable to a fine of up to €20M or, 4% of its global annual turnover, whichever is higher. The fines, however, are more discretionary rather than mandatory and are imposed on a case-by-case basis. Just recently, Google was found to be in breach of the GDPR by failing to provide adequate information to users about its data consent policies as well as how it collected data for the purposes of personalizing ads and was fined a total sum of €57M by France’s Data Protection Regulator.
To conclude, it is important that all organizations whether large or small ensure that they are GDPR compliant as non-compliance may result in significant financial penalties, loss of existing and potential business as well as loss of clients and individual trust built over the years.
Samantha Moore is an Associate Attorney-at-law at Myers, Fletcher & Gordon and is a member of the firm’s Commercial Department. Samantha may be contacted via email@example.com or www.myersfletcher.com This article is for general information purposes only and does not constitute legal advice.