1 September 2018 (Singapore) – QUICK NOTES ON THE EU GDPR
The European Union General Data Protection Regulation (“EU GDPR”) is the EU’s strong response to “new challenges for the protection of personal data”. This response is based on the principle that natural persons should have control of their own personal data and that there should be strong enforcement for the protection of this fundamental right. The EU GDPR will replace the EU Directive 95/46/EC and will enter into force from 25 May 2018.
This does not only affect organisations operating within the EU. The EU GDPR has extraterritorial reach and will also apply to organisations outside of the EU where an organisation “processes personal data of data subjects” who are in the EU. This includes organisations that process personal data in relation to offers of goods or services to individuals in the EU or monitoring of the behaviour of a person in so far as their behaviour takes place within the EU. An offer of goods and services to individuals in the EU may be determined by the use of a language or currency of one of more Member States to make it possible for individuals in that Member State to order the goods or services, or by the mention of customers or users who are in the EU. The monitoring of behaviour of persons in the EU may be determined by the tracking of behaviours on the Internet, including the subsequent analysis of such information to predict a person’s personal preferences, behaviours and attitudes.
The main principles of the GDPR may be found in Article 5. Article 5 (1) (a) begins by stating that personal data shall be “processed lawfully, fairly and in a transparent manner” in relation to individuals, and this includes being upfront about the (lawful) reasons for the collection and use of personal data, being careful about the accuracy of the personal data and also protecting the personal data from loss, misuse, or damage. Article 5 (2) concludes with a statement that the “controller” of the personal data shall be responsible for and be able to “demonstrate” GDPR-compliance.
Organisations that fail to be GDPR-compliant may face “strong enforcement” measures. Therefore, “controllers” and “processors” of personal data belonging to “data subjects” in the EU should be aware of the GDPR, review existing contracts, documentation, data protection systems and practices and establish GDPR-compliant equivalents before the law comes into force in May 2018.
Keywords: GDPR, General Data Protection Regulation, European Union, EU, Personal Data, Data Protection, Directive 94/46EC, PDPA, PDPC, Personal Data Protection Act, data subject, data breach, DPO, Data Protection Officer, compliance, standard operating procedures.