Banwo & Ighodalo Logo

Legal And Regulatory Implications Of The GDPR On Business Organizations: Basic Compliance Strategies For Non-EU Entities


  • Consent & Data Security

    The GDPR prescribes more control for EU data subjects over their personal data. In essence, data processors/controllers across the globe must show that data subjects not only consented to the collection, processing, storing, and transmission of their personal data but that the consent was freely, genuinely and absolutely given, without restrictions. Hence,

    1. Article 7 of the GDPR requires that consent must be freely given, specific, informed and unambiguous. Request for consent by a data controller should be separate from other terms, and be in clear and plain language. In addition to this, a data subject’s consent to processing of their personal data must be as easy to withdraw as it is to give; 

    2. consent must be explicit for sensitive data. A data controller is required to be able to demonstrate that consent was given;

    3. where personal data is processed for direct marketing, the data subjects will have a right to object. This right must be explicitly brought to their attention by a data processor/controller; and

    4. provision for parental consent is to be given when data of children is involved. This will not be necessary only in the context of processing the data of a child for preventative or counselling services offered directly to the child.

  • Right of Access to Personal Data

    The GDPR provides in Articles 15 and 16 that data subjects should be given the right and opportunity to access their data or update them at any time, in the data base of processors and controllers.

  • Right to Data Portability 

    The GDPR provides in Article 20 for the “right to data portability”. This is the right to receive personal data previously provided by a data subject to a processor/controller in a structured, commonly used and machine-readable format. This also includes the right to transmit those data to another processor/controller without hindrance from the existing processor/controller.

  • Right of Erasure of Personal Data

    In accordance with Article 17 of the GDPR, where a data subject withdraws prior given consent, at any stage of a collection process (whether at the beginning, middle or after the completion of a transaction), such data subject has the right to request that his/her personal data be completely erased from the data processor/controller’s data base, storage or system. This is otherwise known as “right to be forgotten”. This right is however limited by instances in which processors/controllers are required by law to keep the data.

  • Data Security Audit

    The GDPR requires that data processing be carried out in a manner as to ensure appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. To this end, the use of appropriate technical or organizational measures (Integrity and Confidentiality) is prescribed in Article 5(1) f) of the Regulations. Similarly, organizations are to establish a culture of monitoring, reviewing and assessing data processing procedures in order to forestall unnecessary retention of data in the system. In this connection, adoption of a compliant Binding Corporate Rules (“BCR”), as provided in Article 47 of the GDPR, is prescribed for affected entities. In line with the provisions of Article 32 of the GDPR, organizational BCR should emplace an IT architecture that supports “pseudonymisation” and encryption of personal data; ongoing confidentiality, integrity, availability and resilience (CIAR) of processing systems and services; as well as a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

  • Data Breach Notification 

    The GDPR in Article 33 requires a data controller to report any case of a personal data breach to the appropriate supervisory authority at once, or if impracticable in phases, without undue delay and where feasible, not later than seventy-two (72) hours after having become aware of the breach. Where the notification to the supervisory authority is not made within the stipulated period, it shall be accompanied by reasons for the delay. The notification shall describe the nature of the breach, categories and approximate number of data subjects and personal data records concerned, likely consequences of the breach, and measures taken or proposed to be taken by the controller to address the breach, including possible measures to mitigate the likely adverse effects of the breach. In Article 34, the GDPR further mandates data processors/controllers to communicate to affected data subjects, without undue delay, any personal data breach likely to result in a high risk to the rights and freedoms of natural persons.