The General Data Protection Regulation (GDPR) is a European regulation that came into force on 25 May 2018. As it is a regulation, it applies in all the member states of the European Union with no need for transposition into domestic law.
The GDPR is a collection of rules aimed at protecting the personal data of natural persons within the EU. It may be considered to be the most stringent data protection regulation in the world. Its application has led to the harmonisation of rights and freedoms in respect of personal data protection across the European Union.
The GDPR gives the term “personal data” a very extensive meaning, in that it includes all identified or identifiable data about a natural person:
All public or private entities, insofar as they process sensitive personal data, regardless of their size, country of establishment or type of activity.
Indeed, the regulation applies to all bodies based in the European Union that process personal data, even if the personal data relate to individuals located outside the EU.
What is more, non-European organisations with activities targeted to European customers are also subject to the GDPR.
Note also that the GDPR also applies to subcontractors that collect and process personal data on behalf of other organisations.
A French winemaker selling all its production to North American customers in America must comply with the GDPR.
Similarly, an e-commerce company based in Turkey that sells Chinese-manufactured products in Germany from its German-language website must also comply with the GDPR.
Non-compliance with the General Data Protection Regulation can result in penalties up to €20 million or 4% of the total annual turnover of a company, whichever is greater.
IMPORTANT: while “large penalties” get the most publicity, that does not mean only large organisations are concerned. Indeed, most of the penalties under the GDPR (link in English) are smaller and applied against smaller organisations such as SMEs, local government agencies or e-commerce websites.
As the United Kingdom left the European Union on 1 January 2021, it is technically no longer governed by the rules applicable in the EU. However, their data protection and privacy rules are, to date, identical to those under the European GDPR. The United Kingdom has its UK GDPR (General Data Protection Regulation), which is equivalent to the European GDPR.
Nevertheless, the situation may change in coming years. We will keep you informed of any changes in the legislation governing the protection of personal data.
The Data Protection Officer (DPO) is a new function that has been put in place under the GDPR. The DPO is responsible for compliance with the European regulation. Their task is to organise and maintain compliance by your organisation with applicable personal data protection regulations.
The DPO is a key player in the governance of the organisation. Their tasks particularly include the following:
Information and advice to parties responsible for processing personal data
The DPO must stay informed at all times of applicable regulations and inform the bodies that manage data processing, both within and outside the organisation that employs them.
The DPO must also review the internal practices of the company and communicate with the relevant parties if any changes are required.
Thanks to their expertise and regulatory monitoring, the DPO may be required to advise the organisation that has appointed them for data protection.
Cooperation with supervisory authorities
The DPO is the intermediary between the company and the GDPR supervisory authorities. The DPO must therefore facilitate access to relevant information and documents by institutions.
Public organisations are under an obligation to appoint a DPO (Data Protection Officer). Private companies, such as companies that process large quantities of healthcare data, or profiling companies, are also required to appoint a DPO.
The obligation to appoint a DPO also applies to companies outside the EU. As a result, if your company falls within the field of application of the GDPR, you must comply with the obligation to appoint a DPO.
By outsourcing your DPO function to ASD Group, you will save a significant quantity of time. Managing GDPR compliance is extremely complex and requires time, effort and flexibility. By contracting out the function, you will benefit from the services of a specialist in the field, who is flexible and available for processing your requests.
ASD Group works with a close partner and a multidisciplinary team of experts specialised in data protection and information security.
They can provide your organisation with the following:
By using the services of our partner, you will benefit from: