The EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) came into effect in May 2018 and marked a watershed moment in global data protection, both expanding data protection obligations and ratcheting up penalties for failure to comply. The extent to which an organization is subject to the GDPR’s obligations depends on whether it is a controller or a processor.
Most GDPR obligations fall on the controller. The controller determines the purposes and means of the processing of personal data and can act alone or jointly with others, as under the previous EU Data Protection Directive. Unlike the Directive, however, the GDPR imposes specific obligations on processors – those who process personal data on behalf of a controller.
Identifying whether an organization is a controller or processor is key to determining GDPR obligations, and the analysis can be complex. In some circumstances, for example, an organization can be both a controller and a processor for the same dataset. Further, rights and obligations of controllers may differ across EU member states due to differences in EU member state laws implementing the GDPR.
Failure to comply with the GDPR presents significant financial and reputational risk to organizations, with fines as high as €20 million or 4% of global turnover.
As a first step in assessing GDPR obligations, an organization must undertake a thorough analysis of its role as a controller, processor, or both. Organizations should also consider which EU country implementing laws may apply and any unique obligations under those laws. The Practice Note: Overview of EU General Data Protection Regulation, available with a subscription to Practical Law can help your organization understand its roles and responsibilities under GDPR.
Thomson Reuters Practical Law helps you navigate the GDPR and focus on the important aspects you need to know and act on.