The General Data Protection Regulation (GDPR)
What is the GDPR?
The EU GDPR (General Data Protection Regulation) is a pan-European data protection law, which superseded the EU’s 1995 Data Protection Directive and all member state law based on it, including the UK’s DPA 1998 (Data Protection Act 1998), on 25 May 2018.
The EU GDPR extends the data rights of individuals (data subjects) and places a range of new obligations on organisations that process EU residents’ personal data.
It also applies a “broadly equivalent regime” – known as “the applied GDPR” – to certain types of processing that are outside the EU GDPR’s scope, including processing by public authorities, and sets out data processing regimes for law enforcement processing and intelligence processes.
Who does the EU GDPR apply to?
The EU GDPR applies to:
- EU organisations that collect, store or otherwise process the personal data of individuals residing in the EU, even if they’re not EU citizens.
- Organisations based outside the EU that offer goods or services to EU residents, monitor their behaviour, or process their personal data.
It distinguishes between ‘data controllers’ and ‘data processors’:
- A data controller is the natural or legal person, public authority, agency or any other body that determines how and why personal data is processed.
- A data processor is the natural or legal person, public authority, agency or any other body that processes personal data on behalf of the data controller.
Your compliance requirements differ depending on whether you are a controller or processor – or both.
The GDPR – what it means for companies in the Asia-Pacific region
The GDPR applies to any organisation collecting, storing or processing EU residents’ personal data, irrespective of the organisation’s location or where the data is processed. Asia-Pacific companies with any connection to Europe – whether through subsidiaries, customers or suppliers – stand to be affected. Organisations should therefore take steps to determine whether the GDPR is applicable, and to consider revising their information handling processes to ensure compliance.
GDPR compliance is not just a matter of ticking a few boxes, though: the Regulation also demands that you be able to demonstrate compliance with the data processing principles. Compliance involves taking a risk-based approach to data protection, ensuring appropriate policies and procedures are in place to deal with the requirements for transparency and accountability, and to protect individuals’ rights, as well as building a workplace culture of data privacy and security.
In some cases, GDPR compliance will build on existing measures that many organisations adopt as a matter of good practice or to comply with national laws, such as the Privacy Act 1988 (Australia), the Personal Data Protection Act (Singapore), the Personal Data (Privacy) Ordinance (Hong Kong) and the Cybersecurity Law (Mainland China).
With the appropriate data protection compliance framework in place, not only will you be able to avoid significant fines and reputational damage but you will also be able to show customers that you are trustworthy and responsible, and derive added value from the data you hold.
Click to expand some key changes introduced by the Regulation:
What is personal data?
Personal data is any information relating to an identified or identifiable natural person (data subject). The GDPR places much stronger controls on the processing of special categories of personal data than the DPA 1998 did. The inclusion of genetic and biometric data is new.
- Email address
- IP address
- Location data
- Online behaviour (cookies)
- Profiling and analytics data
Special categories of personal data
- Political opinions
- Trade union membership
- Sexual orientation
- Health information
- Biometric data
- Genetic data
The wider scope of the GDPR
The GDPR does not merely apply to organisations located in the EU. If a company in the Asia-Pacific region processes personal data through a business establishment in the EU or in the course of one of the following activities, it must comply with the Regulation:
- Offers goods or services to people in the EU. Simply being able to access the company's website from the EU will not be sufficient to trigger the application of the GDPR, however. For the Regulation to apply, the company must clearly intend to offer services to individuals located in the EU.
- Monitors the behaviour of individuals in the EU. This includes a host of activities, from tracking Internet users, such as through advertising technology platforms, to profiling and analysing their preferences, behaviours and attitudes.
Asia-Pacific companies not established in the EU that meet one of the above qualifying factors may have to appoint a representative based in the EU as the contact person for all questions on data protection from consumers and data protection authorities. A representative will not be required where processing is occasional or does not include large-scale processing of special categories of data.
Service providers (data processors) that process data on behalf of an EU organisation also come under the remit of the GDPR and will have specific compliance obligations. An example might be a company that processes payroll or a Cloud provider that offers data storage, even if the server sits outside the EU.
GDPR penalties and fines
The maximum fine under the GDPR is up to 4% of annual global turnover or €20 million – whichever is greater – for organisations that infringe its requirements.
There are two tiers of administrative fine that can be levied as penalties for GDPR non-compliance:
- Up to €10 million, or 2% of annual global turnover – whichever is greater; or
- Up to €20 million, or 4% of annual global turnover – whichever is greater.
Fines are discretionary rather than mandatory. They must be imposed on a case-by-case basis and should be “effective, proportionate and dissuasive”.
How are GDPR fines determined?
Fines of up to €10 million or 2% of annual global turnover can be issued for infringements of articles:
- 8 (conditions for children’s consent);
- 11 (processing that doesn’t require identification);
- 25–39 (general obligations of processors and controllers);
- 42 (certification); and
- 43 (certification bodies).
Fines of up to €20 million or 4% of annual global turnover can be issued for infringements of articles:
- 5 (data processing principles);
- 6 (lawfulness of processing);
- 7 (conditions for consent);
- 9 (processing of special categories of data);
- 12–22 (data subjects’ rights); and
- 44–49 (data transfers to third countries or international organisations).
How IT Governance can help you comply with the EU GDPR
IT Governance, a leading global provider of IT governance, risk management and compliance solutions, is at the forefront of helping organisations address the challenges of EU GDPR compliance.