EDRM on GDPR
The EDRM has posted its first report on the GDPR, "Decoding GDPR". The report summaries some of the salient points of the GDPR, coming May 25, 2018:
it's a regulation, not a directive, and as such is directly enforceable by the EU, unlike the old Data Protection Directive
it has extraterritorial application
fines up to €20 million or 4% of global revenue for violations
the GDPR will standardize how personal data is treated throughout the EU
The GDPR applies to the processing of data when the data controller or processor is established in the EU, even if the processing does not occur in the EU. It will still apply to data controllers or processors not established in the EU when they offer goods or services to data subjects in the EU, or they monitor behavior of the data subjects in the EU.
The EU concept of 'personal data' contrasts with the US concept of 'personally identifiable information' The EU concept is broader, including any data that can be used to identify an individual. There are additional protections for special categories of personal data, including biometric, health, and genetic data. Standard practices for dealing with PII under HIPAA may not comply with the requirements of the GDPR.
Data controllers should not be regarded as being directly analogous to electronic discovery custodians. A custodian has possession of ESI. A controller has the power to process personal data.
The GDPR concept of processing is broader than the American electronic discovery concept which merely involves reducing and converting data. In the EU, review or storage of personal data can be 'processing'.
The GDPR requires the preparation of a Privacy Impact Assessment when the rights of data subjects are impacted. Unlike in America, in the EU the re-use of health data requires consent.
Penalties can be implemented in the EU when an organization fails to adhere to its adopted conduct of conduct for compiling with the GDPR. Guidelines and best practices may not be viewed as merely aspirational as they are in the US.
The GDPR distinguishes between 'cross border' data transfers that consist of transfers within the EU, and 'third country' data transfers that concern the transfer of data outside the EU.