The General Data Protection Regulation (the “GDPR”),
[1] a European Union (the “EU”) regulation changing the legal landscape of the protection for personal data,
[2] is here to stay as it came into effect on May 25, 2018.
[3] Under the GDPR, the term “personal data” refers to “any information relating to an identified or identifiable natural person (“data subject”).”
[4] Companies and organizations who processes or determines the processing of the aforementioned personal data should pay attention to the GDPR because the GDPR not only applies to those established in the EU but also may apply to those who have no establishment in the EU, including Taiwanese companies and organizations.
[5] Also, the consequence of non-compliance is severe.
[6] This article summarizes the application as well as the non-compliance consequence of the GDPR, briefly navigates a few differences between the GDPR and the Personal Information Protection Act (the “PIPA”)
[7] in Taiwan, and provides some priorities (inclusive but not an exhaustive list) for companies or organizations that have not been fully GDPR-compliant to consider.
I. Are You Subject to the GDPR?
The GDPR is farther-reaching than one might expect and affects more than European companies and organizations since GDPR applies to companies and organizations processing or holding personal data of data subjects residing in the EU, regardless of whether these companies and organizations are based in the EU.
[8] Any enterprises who engages in an economic activity,
[9] and “determines the purposes and means of the processing
[10] of personal data” (i.e., a data “controller”)
[11] or “processes personal data on behalf of the controller” (i.e., a data “processor”),
[12] will be subject to the GDPR, as long as the personal data collected or processed belongs to data subjects in the EU, and “regardless of whether the processing takes place in the [EU].”
[13] Moreover, the GDPR may apply extraterritorially to the processing of personal data of data subjects in the EU by any controller or processor outside the EU if the processing relates to activities offering goods or services to such data projects, or monitoring the behavior of such data subjects.
[14]
II. Consequences of Non-compliance
Any controller or processor should be aware of and comply with the GDPR because the consequence of non-compliance is severe and costly.
[15] A controller or processor failing to
comply with the GDPR will likely face administrative fines imposed by the data protection authority up to €20 million euro (€20 million) or four percent (4%) of the total worldwide annual turnover, “whichever is higher.”
[16] Moreover, EU Member States may impose additional penalties applicable to the infringement of the GDPR.
[17]
III. Some GDPR Compliance Priorities
The GDPR has significant implications on the governance, data and privacy management, information technology, communications, personnel, and budget of any controller or processor under the GDPR because it requires the implementation of data protection policies and measures, and the institution of appropriate organizational and technical steps to ensure compliance with the GDPR.
[18] Among all GDPR compliance steps to be taken, the following provides some priorities to be considered (inclusive but not an exhaustive list, and there is no order preference):
V. Conclusion
In this data-driven era, the protection of personal data and privacy matters. Processing and protecting personal data in an appropriate manner not only is a compliance matter but also “makes sound business sense.”
[72] If you have not fully implemented or is just beginning your GDPR compliance program, you are way behind fully compliant with the GDPR since the GDPR entered into force on May 25, 2018.
[73] At this moment you are probably not the only one who is not fully GDPR compliant,
[74] but your failure to comply with the GDPR could likely cost you a pretty penny.
[75] Implementing GDPR compliance is not likely something that could be done overnight by a few crews and may take your company or organization much more time, effort, and workforce than expected for your company or organization to be fully GDPR compliant.
[76] Please consider putting GDPR compliance as one of the top priorities on the agenda of your company or organization and immediately taking some steps showing that your company or organization is at least making an effort to comply with the GDPR.
[77]
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119, 4.5.2016, at 1–88 (hereinafter the “GDPR”).
[2] Allen & Overy LLP, Preparing for the General Data Protection Regulation 2 (2018), http://www.allenovery.com/publications/en-gb/data-protection/Documents/Preparing%20for%20the%20GDPR%20-%20January%202018.PDF (hereinafter “A&O, Preparing for the GDPR”); bureau Brandeis, GDPR Compliance Roadmap 2 (2017); Jane Finlayson-Brown, Nigel Parker, Charlotte Mullarkey & David Smith,
Preparing for GDPR Compliance, Allen & Overy LLP 1 (Mar. 2018),
http://www.allenovery.com/SiteCollectionDocuments/Preparing%20for%20GDPR%20compliance%20March%202018.PDF (hereinafter “Jane Finlayson-Brown et al.,
Preparing for GDPR Compliance”).
[5] GDPR art. 3, ¶¶1-2.
See also A&O, Preparing for the GDPR, supra note 2, at 4-5; Jane Finlayson-Brown et al., Preparing for GDPR Compliance, supra note 2, at 1-2; Paul Doris, Douglas Lahnborg, Kolvin Stone & Matthew Rose, Parental Liability for GDPR Infringements: Lessons from EU Competition Law?, Orrick (July 12, 2018), https://www.orrick.com/Insights/2018/07/Parental-Liability-for-GDPR-Infringements-Lessons-from-EU-Competition-Law; Patrick Nohe,
GDPR: How to write a Privacy Notice – Best Practices, Hashed Out, The SSL Store (Apr. 3, 2018),
https://www.thesslstore.com/blog/gdpr-privacy-notices/ (last visited June 28, 2018).
[7] The Personal Information Protection Act, promulgated by Presidential Decree Ref. No. ROC-President-(I)-Yi-5960 dated August 11, 1995, and amended on May 26, 2010 and December 30, 2015 (hereinafter the “PIPA”).
[18] Information Commissioner’s Office, Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now 1 (May 25, 2017) (hereinafter “ICO,
12 steps”); A&O, Preparing for the GDPR,
supra note 2, at 4.
[20] Brandeis,
supra note 2, at 8; ICO, 12 steps, at 3.
[21] ICO, 12 steps, at 8; Brandeis,
supra note 2, at 5; Jane Finlayson-Brown et al.,
Preparing for GDPR Compliance,
supra note 2, at 1.
[23] ICO, 12 steps, at 3-4; Brandeis,
supra note 2, at 22; Jane Finlayson-Brown et al.,
Preparing for GDPR Compliance,
supra note 2, at 1.
[24] Evan Schuman, Last-Minute GDPR Compliance 2 (2018),
available at:
https://www.thecontentfirm.com/images/user/other/Last-Minute-GDPR.pdf; Stephen Lawton,
One Month Out: Top 6 Steps for GDPR Compliance, SC Media (Apr. 25, 2018),
https://www.scmagazine.com/one-month-out-top-6-steps-for-gdpr-compliance/printarticle/754487/; Teri Robinson,
GDPR: It's (just about) here, SC Media (May 1, 2018),
https://www.scmagazine.com/gdpr-its-just-about-here/article/762198/; Nohe,
supra note 5;
GDPR Privacy Policy Checklist, The VeraSafe Data Protection Blog (Apr. 10, 2018),
https://www.verasafe.com/blog/gdpr-privacy-policy-checklist/ (hereinafter “
Checklist, VeraSafe”).
[26] ICO, 12 steps, at 6; Brandeis,
supra note 2, at 28.
[27] ICO, 12 steps, at 5; Jane Finlayson-Brown et al.,
Preparing for GDPR Compliance,
supra note 2, at 1.
[28] ICO, 12 steps, at 7; Brandeis,
supra note 2, at 18; A&O, Preparing for the GDPR,
supra note 2, at 26; Jane Finlayson-Brown et al.,
Preparing for GDPR Compliance,
supra note 2, at 1.
[29] GDPR art. 25, ¶1.
See also Jane Finlayson-Brown et al.,
Preparing for GDPR Compliance,
supra note 2, at 1.
[31] Brandeis,
supra note 2, at 11; A&O, Preparing for the GDPR,
supra note 2, at 24.
[32] Brandeis,
supra note 2, at 11.
[41] PIPA art. 2, subpara. 1.
[42] GDPR art. 3, ¶¶1-2.
See also Nohe,
supra note 5.
[63] Id. arts. 3 & 11, ¶1.
[64] Id. arts. 3 & 11, ¶¶2-3.
[65] Id. arts. 3 & 11, ¶3.
[66] GDPR art. 83,
¶¶4-6.
[72] A&O, Preparing for the GDPR,
supra note 2, at 4.
[76] ICO, 12 steps, at 3; A&O, Preparing for the GDPR,
supra note 2, at 43; Jane Finlayson-Brown et al.,
Preparing for GDPR Compliance,
supra note 2, at 1.
[77] Jane Finlayson-Brown et al.,
Preparing for GDPR Compliance,
supra note 2, at 1.