Understanding the European Union General Data Protection Regulation (GDPR)
The European Union General Data Protection Regulation (GDPR) is a comprehensive data protection law that aims to safeguard personal data and privacy within the EU. It replaced the Data Protection Directive and has notable requirements such as notice/consent, data subject rights, data retention, security measures, breach notification, and more. The GDPR has a broader territorial scope, imposes significant fines, grants data subjects enhanced rights, and pushes organizations towards stricter enforcement.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
The European Union General Data Protection Regulation (GDPR)
The Basics An extensive data protection law designed to protect the personal data and privacy of individuals in the European Union (EU). It replaced the Data Protection Directive (95/46/EC) and went into effect on May 25th, 2018. Like the Directive, the GDPR applies to any information related to a natural person that can be used, directly or indirectly, to identify that person e.g., name, photo, email address, bank details, social media posts, medical information, and IP address. The GDPR is considered a comprehensive data protection regime unlike US privacy laws like FERPA, HIPAA, and the Gramm-Leach-Bliley Act, which are all considered sectoral regimes.
Notable Requirements of the GDPR Notice / consent Typically the organization must provide a relatively detailed privacy notice with certain required information (e.g., the purposes for which the data is being processed; to whom the data will be disclosed) at the time the data is obtained from the data subject. The organization may have to obtain affirmative consent from data subjects for the processing of their personal data unless the organization has another lawful basis (e.g., contractual basis; legitimate interests basis) for processing the data. Data subject rights Generally the organization must provide data subjects the right to view the personal data that is being maintained and have any inaccuracies rectified; also, in certain cases the organization must provide data subjects the right to have their data erased and the right to receive their data in a format that can be transferred to another organization. Data retention Normally the storage period must be kept to a strict minimum that is necessary to achieve the stated purpose; however, there are some exceptions for archival, scientific, historical, and statistical activities. Record keeping The organization must keep records of the purposes of the processing, the categories of personal data processed, the categories of recipients to whom the personal data has been disclosed, etc. Security The organization must implement relatively rigorous technical and organizational security measures and maintain a documented process for regularly testing and assessing those measures. Breach notification Data breaches posing a risk to the rights and freedoms of the data subjects must be reported to EU authorities without undue delay and typically no later than 72 hours after discovery. Downstream processing If an organization passes GDPR personal data to another organization, it must require that other organization to comply with the GDPR s requirements with respect to that data.
Why Does US Higher Ed Care? 1. The GDPR s territorial scope is broader and more defined than the Directive s scope it s clear that the EU intends for the GDPR to apply to many organizations not based in, or even physical operating within, the EU. 2. The GDPR provides EU Data Protection Authorities (DPAs) the ability to levy much steeper fines than permitted under the Directive s implementing legislation DPAs can impose up to the greater of 4% of annual global turnover or 20,000,000. 3. The GDPR affords data subjects much broader rights than the Directive e.g., data subjects may bring causes of action directly under the GDPR, may bring claims directly against downstream processors, and claim damages even where they have "immaterial damage" as a result of an infringement. 4. The specter of enforcement under the GDPR is pushing EU organizations to more strictly enforce requirements on downstream controllers and processors.
Territorial Scope The GDPR applies not only to organizations within the EU but also to organizations outside the EU where the processing activities are related to: (a) the offering of goods or services. . . to such data subjects in the Union; or (b) the monitoring of their behavior as far as their behavior takes place within the Union. The language of the GDPR implies that it covers not only EU citizens and residents but anyone who is within the borders of the EU.