English   |   繁體中文  |   简体中文

The impact of General Data Protection Regulation (GDPR) for Companies
Date:  8 Jun 2018

The impact of General Data Protection Regulation (GDPR) for Companies

The General Data Protection Regulation (GDPR), a new Privacy law in the European Union (“EU”) designed to strengthen and unify data protection, comes into force on 25 May 2018 and applies directly across EU. GDPR regulates the protection of personal data, which includes any information that can be used to identify a person, such as a name, identification number, location data, an online identifier, and a wide range of other types of information. It affects the way organizations treat, manage and maintain users data as regards to both clients and employees.
Appointment of Data Protection Officer
Appointment of a Data Protection Officer (DPO) is mandatory wherever the data processing is carried out by:

(a) public authorities,
(b) organizations that require systematic and regular monitoring of data subjects on a large scale or
(c) organizations that engage in large scale processing of special categories of personal data.

DPO assumes the tasks of advising, monitoring internal compliance and cooperating with the supervisory authority and is bound by secrecy and confidentiality.
If your organization doesn’t fall into one of these categories, then you do not need to appoint a DPO.
Data Controllers and Data Processors
Some tasks, such as payroll, generally deal with data collected by third parties. A “Data Subject” is a physical person whose personal data is processed by a controller or processor. The data controller determines the purposes, conditions and means of the processing of personal data while the data processor elaborates further said personal data on behalf of the controller and according to its instructions. GDPR requires a contract to be in place, in order to ensure that liabilities and responsibilities between the controller and processor are stipulated. Processors will also need to comply with GDPR and ensure that data subject’s rights are protected. 
Territorial Scope
The new Regulation, does not only affect EU but also non-EU organisations with online presence and offering measurement solutions in cases where their websites and applications are accessed by users in the European Economic Area.

The GDPR applies to all EU and non-EU companies and organizations (regardless of their location) that either offer goods or services to EU clients or monitor the behavior of individuals within the EU. Consequently, a business based outside of the EU may be required to appoint a representative based in the EU who is accountable for data protection. 
Organizations for non-compliance can be fined up to 4% of annual global turnover or EUR20 Million (whichever is greater). This is the maximum fine that can be imposed for serious infringements; i.e. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. Additionally, there is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order, not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors.
Clients who wish to explore details of the new law can contact Ms. Amie Cheung at amie.cheung@lccpa.com.hk.