The EU General Data Protection Regulation (GDPR) course is a course that is intended to bring attendees up to speed with the new regulation that will come into effect on the 25th of May 2018. This regulation is important and is attracting a lot of attention not only because it significantly changes what is legally doable within the data acquisition, processing and retention space, but also because of the penalties that it sets out. Indeed, penalties for GDPR breaches may go up to 20 million euro or 4% of worldwide turnover, whichever is the highest. This means that anyone who handles any sort of personal data, including but not limited to employment data, subscriptions data, client data and data collected automatically through a website that allows the identification of the data subject is subject to GDPR provisions and needs to ensure compliance to avoid punitive fines that may easily drive a firm out of business. The course is designed to set the GDPR in context and to give attendees practical tools for ensuring compliance and avoiding the debilitating fines that non-compliance will entail.
More than two decades ago, the European Community (now the European Union) felt the need to align data protection standards within their Member States in order to facilitate and enable cross-border data transfers. Back then, national data protection laws provided inconsistent and at times incompatible levels of protection. They offered neither legal certainty for individuals nor for data controllers and processors. As a result, with the intent of promoting and fostering the single European market, in 1995, the European Community adopted Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (referred to in short as the Data Protection Directive). This Directive was aimed at harmonising the protection of individuals’ fundamental rights in terms of data processing activities and to ensure the possibility of a free flow of personal data between EU Member States under a legal framework that was clear and certain.
As European Directives are not directly applicable in EU Member States but have to be transposed into national law, they made up for implementation differences that hindered the original objective of the Data Protection Directive to harmonise the level of data protection within the EU. The result was that data processing activities deemed legal in one EU Member State could be unlawful in another.
Fast forward to 2016, and the result of the Data Protection Directive’s failures have, after a series of tough rounds of negotiation, culminated in the General Data Protection Regulation (GDPR) which supplants the former. As a regulation, it is directly applicable to EU Member States and does not require transposition that could introduce distortions in implementation. The compliance burden of the new regulation is very considerable as data protection duties have proliferated, but the applicable non-compliance fines, that have been drastically increased scarcely leaves room for error. Indeed, under GDPR, organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million, whichever is greater. As a result, all organisations that process any form of personal data should carefully reorganise their internal data protection procedures in order to reach compliance with the GDPR by the time it enters into force. This will happen on the 25th of May, 2018.
Organisations in the USA have been preparing for this change since 2016, but their EU counterparts are very late and are now scrambling to ensure compliance. This course has been designed to provide a general overview of the regulation, as well as practical hands-on tips and checklists designed to ease the burden of complying with the Regulation. Some areas of the Regulation are still ambiguous and will remain so until legally tested and until case law in the area builds up. Most other areas are however crystal-clear. This course aims to identify both clear and ambiguous areas and argues for a cautious approach given the daunting level of the fines. It is composed of the following modules:
- Introduction to Data Protection and the GDPR
- GDPR in Detail
- How to Comply: Organizational Requirements
- The Nuts & Bolts: Technical Aspects of GDPR Compliance
- GDPR in Context: Examples and Special Processing Activities