One aim of the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, was to harmonize data protection laws across Europe — so its legal form is a regulation (an order that must be executed) as opposed to a directive (a result to achieve, though the means to achieve aren’t dictated).

The GDPR is the successor to the European Union's (EU) Data Protection Directive 1995 (Directive 95/46/EC). Unlike a directive, when the EU enacts a regulation, it becomes national legislation in each EU member state, with member states having no opportunity to change it via national legislation.

However, EU member states are permitted to make certain derogations (a fancy term for exemptions) from the GDPR (such as in the case of the need to uphold a country’s security), so data protection laws across Europe aren’t quite as harmonized as may have been desired by some of the legislators.

Although EU member states cannot change the GDPR, each member state requires national legislation to accompany the GDPR, for two reasons:

  • The GDPR needs to fit into the member state’s legal framework.
  • National legislation is needed to choose from the exemptions permitted by the GDPR.
At the time this article was written, all but three member states had passed national legislation to sit alongside the GDPR. So, you need to familiarize yourself with not only the GDPR but also the legislation that was implemented in the EU member state(s) in which your organization is established.

GDPR compliance concept ©SB_photos/Shutterstock.com

Data protection laws

Data protection laws exist to balance the rights of individuals to privacy and the ability of organizations to use data for the purposes of their business. Data protection laws provide important rights for data subjects and for the enforcement of such rights.

This list describes a handful of additional points about these laws to keep in mind. Data protection laws:

  • Protect data subjects: A data subject is an individual whose personal data is collected, held, and/or processed.
  • Apply to organizations that control the processing of personal data (known as data controllers) and also organizations that process personal data under the instructions of data controllers (known as data processors): These include companies (both private and public), charities (not-for-profit, political, and so on), and associations (such as churches, sports clubs, and professional leagues, to name only a few).
  • Apply throughout the world: The concept of privacy originated in the United States in the 1890s. Although the EU has been a front-runner in establishing the laws protecting data and sees itself as setting the gold standard of data protections laws, the vast majority of countries around the world have some form of data protection laws.
  • Do not prevent organizations from using personal data: Organizations can legitimately use personal data to their benefit as long as they comply with applicable data protection laws. Every organization is likely to process some personal data — of its clients, employees, suppliers, prospects, and so on.
  • Prevent common misuses of personal data: Organizations often fail to (a) put in place appropriate measures to keep personal data secure (b) inform the data subject at the point of data collection about what it is intending to do with the personal data and where necessary to obtain consent and (c) transfer personal data to third parties without the knowledge of the data subject. Data protection laws generally prevent these common misuses.
Countries hold to varying degrees of regulation and enforcement and some countries don’t have any data protection laws. The following table rates the strength of various countries’ efforts to protect data.
Regulation/Enforcement Strength of Data Protection Laws Worldwide
Type of Regulation/Enforcement Countries
Tough Australia, Canada, Hong Kong, South Korea
Strong Argentina, China, Estonia, Finland, Iceland, Japan, Latvia, Malaysia, Monaco, Morocco, New Zealand
Light Angola, Belarus, Costa Rica, Egypt, Ghana, Lithuania, Mexico, Nigeria, Russia, Saudi Arabia/UAE, South Africa, Turkey, Ukraine
Limited Honduras, India, Indonesia, Pakistan, Panama, Thailand, Uruguay

The 10 most important obligations of the GDPR

The obligations I refer to in this section’s heading are the ten most important actions you need to take to comply with the GDPR; I’ve only summarized these obligations in the following list because I discuss them further throughout this book:
  • Prepare a data inventory to map your data flows so that you can understand exactly what personal data you’re processing and what you’re doing with it.
  • Work out the lawful grounds for processing each type of personal data for each purpose for which you’re processing it.
  • Ensure that your data security strategy is robust and that you have implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk of a data breach or other security incident.
  • Ensure that an appropriate safeguard is in place whenever you transfer personal data outside of the European Economic Area (EEA).
  • Update your Privacy Notice to ensure that you’re being transparent about the means and purposes of your data-processing.
  • Update your Cookie Policy to ensure that you aren’t relying on implied consent, that browsers of your website are taking affirmative action to consent to non-essential cookies being used, and that the cookies are fired only after consent is obtained.
  • Ensure that your staff are appropriately trained in relevant areas of the GDPR.
  • Ensure that you have reviewed the grounds on which you process employee data, and issue a revised employee privacy notice where necessary.
  • Determine whether you need to appoint a data protection officer (DPO). If you do, take the necessary steps to hire a suitable candidate.
  • Review all of your processor and subprocessor arrangements and ensure that appropriate contracts are in place. Ensure that the data processors (and subprocessors) are compliant with the GDPR and that they have adequate security in place to protect the personal data.

The consequences of non-compliance

Think of this as a description of not only the consequences you face if you aren’t compliant with the GDPR but also the reasons you should care about being compliant.

Increased fines and sanctions

The GDPR has introduced significant increases in the maximum fines for breaches of its requirements.

Under the GDPR, the fine for certain breaches of the GDPR have been increased to 20 million euros (about $24 million USD) or 4 percent of global turnover for the past financial year, whichever is higher. For “lesser” breaches, the maximum fines have increased to 10 million euros (about $12 million USD) or 2 percent of global turnover for the past financial year, whichever is higher.

This significant increase in fines indicates the increasing importance of data protection within the EU as the value of personal data increases and the processing becomes even more sophisticated.

This is not to say that you will be fined these amounts for any infringements of the GDPR. You would have to do something that significantly impacts on the rights and freedoms of a large number of data subjects to incur a maximum fine.

Supervisory authorities are the regulatory authorities (often known as data protection authorities) within individual EU member states that are responsible for the enforcement of the GDPR.

Civil claims

Data subjects can now bring civil claims against data controllers for infringements of their data subject rights. So, if, for example, you don’t respond appropriately to a data subject right request (namely where the data subject can request details of the personal data you process for that data subject) or if you experience a data breach that affects the data subject’s personal data, you could find yourself on the receiving end of a civil claim.

As you may have noticed in recent high-profile data breaches, such as the British Airways data breach in 2019, data protection lawyers are placing advertisements encouraging victims of data breaches to join group actions against the data controller.

A civil claim against you would not only damage your reputation further but would also cost a significant amount of time and money to defend the claim.

Data subject complaints

The general public is much savvier about their data protection rights than they used to be, for these reasons:
  • The introduction of the GDPR garnered a lot of publicity due to the increased sanctions.
  • Supervisory authorities ran various awareness campaigns to ensure that data subjects were aware of their rights.
  • Certain high-profile cases, such as the Facebook and Cambridge Analytica cases (where personal data was misused for political profiling), and the British Airways data breach case have received broad coverage in the media.
This savviness has led to an increase in the number of complaints from data subjects whose personal data hasn’t been processed in accordance with the GDPR. Data subjects are lodging complaints both directly to the data controller and to supervisory authorities. The two situations require two different responses:
  • If the data subject complains directly to you (the data controller): Although a complaint signals that an element of reputational damage has occurred, you have an opportunity to repair the relationship, which is particularly important if the data subject is a customer or a potential customer.
  • If the data subject complains to the supervisory authority: Because the supervisory authority is bound to investigate that complaint, you might face more serious consequences. The supervisory authority will review all your data processing activities, policies and procedures in relation to that complaint. If it finds that the complaint is valid, the supervisory authority will use its corrective powers in relation to such complaints.
These corrective powers include the ability to issue fines, to impose a temporary or definitive ban on the processing of personal data or to force you to respond to the data subject’s requests to exercise their rights.

Brand damage

When a data subject brings a claim against you, you risk not only sanctions from the relevant supervisory but also brand damage. A report by Axciom (a consulting firm providing marketers with data and technology assistance) entitled “Global data privacy: what the consumer really thinks” showed that individuals from around the world are, in the vast majority, quite concerned about how their personal data is used and protected. If you aren’t compliant with the GDPR, you’re showing your prospects, customers, and employees that you aren’t concerned about the protection of their personal data.

Loss of trust

If you don’t comply with the GDPR and, for example, you experience a data breach or don’t respond appropriately to data subject requests, you are likely to lose trust from your customers and prospects. When they don’t trust you, they don’t want to buy from you or otherwise do business with you. Similarly, when your employees don’t trust you, they no longer want to work for you.

In unfortunate timing, British Airways sent an email to all of its customers to assure them that they could trust British Airways with their personal data. Just a couple of months later, British Airways suffered a large data breach that compromised the financial details of 185,000 customers, details that were sold on the dark web. As a result of this data breach, the share price of IAG (British Airways’ parent company) decreased by 5.8 percent (equivalent to a loss of £350m).

In 2018, CompariTech carried out a report finding that, in the long term, organizations that have suffered data breaches financially underperformed.

Be a market leader

By embracing the GDPR and showing your customers, prospects, and employees that you care about the protection of their personal data, you gain a competitive advantage.

Elizabeth Denham, the United Kingdom information commissioner, summed up this idea nicely:

“Accountability encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. We believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals and over time this can play more of a role in consumer choice.”

About This Article

This article is from the book:

About the book author:

Suzanne Dibble is a business lawyer who has advised huge multi-national corporations, private equity-backed enterprises, and household names. Since 2010 she has focused on small businesses, combining her knowledge of large organizations with a deep appreciation for entrepreneurship, especially online businesses, to provide practical, relevant advice. See more at suzannedibble.com

This article can be found in the category: