Introducing the GDPR

What is the GDPR?

GDPR means the General Data Protection Regulation (EU) 2016679 of the European Parliament and of the Council of April 24th, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (general data protection regulation).

In short, the General Data Protection Regulation, or GDPR.

GDPR is now

Even though it was voted in on April 27th, 2016, the law has come into force as of May 25th, 2018 only. The delay was to allow all concerned entities to execute their compliance activities.

The truth is, two years for such entities (not only companies, but also associations, foundations, trusts or even physical persons that build or maintain, in relation with their activity, databases concerning natural persons) to understand why and how they are subject to GDPR, and to decide, plan and implement a compliance project, has proved to be a very short time, too short indeed.

The delay has proved all the shorter as, contrary to the 95/46/CE Directive which GDPR has superseded, the new rules concern entities way outside the geopolitical borders of the European Union.

The practical consequence, as studies show, is that only one tenth of companies has been GDPR compliant as of the date it came into force, and this tenth is only that of companies based or present within the territory of the European Union. In Switzerland, the ratio of compliant companies as of May 25th was much lower, and has been rising only slowly since, even though May 25th has gone by a long time ago already.

What is the intent behind GDPR?

The European Union already had a data protection legislation: the 1995 Directive. However, this Directive showed its limits: it only applied to companies having establishments within the territory of the EU, it was made obsolete by the progress of technology, it was not transcribed uniformly in all the member states, and it did not go far enough to protect the rights of the persons whose personal data are collected and processed.

The new Regulation aims at remedying all of this. First, it extends the rights of natural persons whose data is collected, which means more meaningful and concrete obligations for the collecting and processing organization: more transparency, more controls, more abiding by the expressed wishes of the persons, all this on top of more security against an unplanned use of the data.

In practice, this means a lot of information to give to the persons before obtaining their consent to collect personal data, further information obligations as well as respecting the persons’ expressed wishes while the data is in the possess of the processing organization (the “controller”), and a general obligation to document precisely and exhaustively the how, where, why, when, who, etc. of the processing.

Last but not least, the controller is the party responsible for proving that it has taken the appropriate measures to comply with its GDPR obligations, it is not any more the burden of the supervisory authority! This is a very important switch in the burden of proof, especially since the “appropriate measures” must at all times take into account the evolution of technology and legislation in the future.

Who must really comply with GDPR?

This is another big innovation: GDPR applies not only to organizations with establishments on the territory of the EU, but also to all organizations that collect or process personal data of natural persons established in the EU, wherever such organizations are based. Therefore, companies, or organizations at large, or even individuals outside the EU that do business or have any activity which includes the collection or processing of personal data of natural persons located within the EU (permanently or temporarily!) fall within the scope of enforcement of GDPR.

Isn’t all of this a bit theoretical?

Yes, and no. Already, with the 1995 Directive the transfer of data from within the EU to countries outside the EU was subject to conditions, the main one being that the destination country must have obtain an “adequacy decision” to be considered as “trustworthy” by the EU. This meant that the country must have data protection legislation equivalent to the Directive, or at least satisfactory to the EU.

The same principle applies with GDPR, but this regulation goes a lot farther than the Directive. As a consequence, the countries having a decision need to revise their legislation to bring much closer to GDPR, otherwise their adequacy decision will not be renewed. In such a case, organizations themselves will have to prove, individually, that they comply with GDPR and that they bind themselves to remain compliant in the future.

Obviously authorities mandated with control and enforcement of GDPR will not be able to look at every organization within the first year or two following May 25th, 2018. However, the big organizations that profit enormously from the internet and from the processing of data they collect from natural persons already feel the pressure.

Besides, “processing incidents”, otherwise known as cases of hacking or of processing abuse, have been occurring more often lately, and the compliance threshold has been raised significantly by GDPR, so “flagship cases” have come up and will still, giving an easy handle to the supervisory authorities to shake. Let’s not forget that under the regime of GDPR, the personal data controller is the party that has to prove that all “appropriate measures” have been taken to ensure compliance with the law.