The EU General Data Protection Regulation (GDPR) is a separate legal act (regulation) that has been designed in order to strengthen protection of the processing of personal data of data subjects in the European Union, including EU residents and citizens worldwide.
The GDPR takes effect on May 25, 2018.
The GDPR applies to any organization in the European Union that is processing personal data. It also applies to any organization that processes the personal data of EU data subjects (i.e. citizens and residents of the EU), regardless of whether the organization has a presence in the European Union or whether the processing is done within the European Union.
If any organization collects, stores, manages, or analyzes personal data of any category, including such data as email addresses, it is likely that the GDPR affects such organization.
The GDPR lays out a range of requirements related to consent, individual rights, and data processing. The below overview is a non-exhaustive summary of the most significant requirements of the GDPR.
Consent, initially defined in Article 4, is addressed throughout the text of the GDPR. In general, the GDPR institutes much higher standards of consent when compared to the previous Data Protection Directive.
Consent under the GDPR needs to be both informed and explicit. Organizations have an obligation to present information about processing “in a concise, transparent, intelligible and easily accessible form, using clear and plain language” (Article 12). Where data processing is based on consent, organizations will need explicit consent from individuals - and they need to be able to prove that individuals have given consent (Article 7).
When organizations collect personal data, they are required to divulge certain information in accordance with Article 13.
Articles 12-23 present the individual rights covered by the GDPR. In general, the GDPR expands individual rights as they relate to personal data.
Covered by Article 15, the right of access is the right of individuals to request information about how their data is being used as well as a copy of the data itself.
According to Article 16, individuals are allowed to contact a Controller to correct inaccurate personal data.
According to Article 17, individuals can request that their data be erased under certain specific circumstances. These circumstances include, but are not limited to:
According to Article 18, individuals have the right to restrict how their data is processed in certain circumstances.
According to Article 20, individuals have a right to receive their personal data for the purpose of using it somewhere else.
Article 21 states that people have the right to object to the processing of their data in certain circumstances, “unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.”
The GDPR specifies a variety of requirements surrounding the processing of personal data. This section will explore some of the data processing requirements and provide links to relevant sections of the text of the GDPR.
A Controller is the organization that determines how personal data will be used. A Processor is the organization that processes personal data on behalf and on the instructions of the Controller. The specific responsibilities of each party are laid out in Articles 24-43.
OutreachMama may be a Processor in some cases and a Controller in other ones. Note that it is possible for a single organization to be both a Processor and Controller.
Article 28 states that Controllers must have clearly documented contracts with Processors that define the scope of processing. These contracts must be “in writing, including in electronic form.” Requirements for processing contracts can be found in the remainder of Article 28.
According to Article 37, many organizations will be required to appoint a data protection officer. The specific responsibilities of a data protection officer are covered in Article 39. In general, the data protection officer is responsible for compliance with the GDPR.
Articles 44-50 of the GDPR cover the specific requirements for transferring personal data to third parties or international organizations. The GDPR does not require that personal data of EU citizens remain exclusively in the EU, but it does have some requirements for such transfers.