Data Protection: GDPR

General Data Protection Regulation – The Global Standard
What is it?
The General Data Protection Regulation (“GDPR”) is a regulation that came into force on May 25, 2018 on consumer data protection and privacy for all individuals within the European Union (“EU”). However, though the Regulation was introduced by the EU, it can apply to any individual or corporation who processes “personal data” regardless of their location.
The GDPR Regulation should be taken seriously as it is designed to help consumers gain a greater level of control over their data, while offering more transparency throughout the process.
 
Factors to think about to be GDPR Compliant
The GDPR Regulation is a lengthy and complex document that took over 4 years of negotiation to establish. Therefore, using a general perspective, the basic factors that an individual or corporation should be thinking about to be GDPR compliant are listed below:

1. Consent: When collecting any “personal data,” the terms of consent must be clear, easily provided and freely withdrawn at any time by the consumer. Therefore, do not confuse the consumer with complex language, hidden consent forms or lengthy terms and conditions.
   
2. Timely Notifications and up to date Information
   A- You must report a security breach to the customer and/or data controllers within 72 hours or potentially face issues.
   B- Be proactive and ensure that all data is up-to date.
   
3. Right to Access: To offer transparency, the corporation or individual must provide a detailed and free electronic copy of all the data collected when a consumer requests it. Furthermore, the GDPR states that the report must include any information regarding how the data will be used.
   
4. Right to Deletion
   A- A consumer must have the right to request that the corporation or individual erase their personal data.
   B- Also, it is recommended to hold personal data as long as it is required and delete the rest.
   
5. Portability: A consumer is given the right to their own data and transfer that same data in different situations outside of the one individual or corporation.
   
6. Design with Privacy in Mind: GDPR is requiring companies or individuals to design their systems with privacy and security in mind from the start. Data collection is important and failing to protect that will lead to potential problems.
   
7. Data Protection Officer: Depending on the size of the company and how much data is being collected, a Data Protection Officer should be hired to ensure the appropriate handling of consumer data.
   
8. Purpose is Important: Personal data should only be used for the specific purposes that you have declared to the consumer. Therefore, do not use the information that they have provided to send material that is clearly unrelated.
   
9. Data Minimization: When designing with privacy in mind, one must ensure that they collect the minimal amount of personal data that is required to perform the relevant task.
   
10. Secure the Data
    Take reasonable steps to ensure that the data collected is secure. Some examples are:
    • Not store consumer data on a portable device;
      
    • Don’t share login credentials; and
    • Encrypt and password protect the relevant files.

 
Consequences for Non-Compliance
There are two tiers of fines that can be used as penalties for non-compliance:

1. Up to 10 million euros or 2% of annual global turnover (whichever higher); or
2. Up to 20 million euros or 4% of annual global turnover (whichever higher).
   

These fines are discretionary rather than mandatory, based on specific breaches, and are imposed on a case-by-case basis.
The GDPR is an important piece of regulation that affects global corporations and individuals. When you intend to obtain “personal data” keep in mind the factors above and ensure that your corporation is GDPR compliant to limit any further consequences.

Vikas Chadha is a member of the BLG Business Venture Clinic, and is a 2nd year student at the Faculty of Law, University of Calgary