EU General Data Protection Regulation (GDPR): Get Ready, the Clock is Ticking!
|
|
General Data Protection Regulation (GDPR) replaces the Data Protection Directive (DPD) 95/46/EC, which is outdated, and will become the primary law regulating how companies protect EU citizens’ personal data. It was agreed upon The European Parliament and The European Council in April 2016, after four years of preparation and debates.
The enforcement date for this new regulation is 25 May 2018.
Unlike a directive, GDPR will be directly applicable in all Member States, so it does not require national governments to pass any enabling legislation.
Purpose: GDPR regulates the protection of natural persons with regard to the processing of personal data and on the free movement of such data. It also addresses the export of personal data outside the EU. The bottom line is that the GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
The Regulation will have a significant impact on businesses in all industry sectors, so the EPTDA members should be aware of its vast implications.
On one hand, this legislation will have a positive impact because it creates a harmonized framework for data protection across all 28 Member States. On the other hand, the implementation process will be challenging in terms of costs and effort.
That’s why the EPTDA members need to review their data protection compliance programmes, in order to determine next steps and decide if they need to make more investments or improvements.
|
|
Which Companies Does the GDPR Affect?
|
|
GDPR’s applicability is pretty well defined in the Regulation, and it will affect every single company that handles personal data, such as individual’s IP address or cookie data, but also people’s name, home address, social security number and so on.
In other words, GDPR will apply to the processing of personal data by controllers and processors in the EU, regardless of whether this kind of things are happening inside or outside the EU. Also, even though a company is not established in the EU, it has to comply with this Regulation, if it offers goods or services to EU citizens (no matter if this action requires a payment or not) or if it monitors the EU consumer’s behaviour.
|
|
What Happens If My Company Is Not In Compliance With the GDPR?
|
|
|
Penalties for non-compliance are of up to €20 million or 4% of global annual turnover, whichever is higher. According to a report from Ovum, 52% of the companies believe they will be fined for non-compliance. Thus, the EU could collect as much as €5,1 billion in fines and penalties in the first year after the GDPR comes in place.
|
|
|
The GDPR has some accountability obligations on data controllers to demonstrate compliance. This includes requiring them to:
(i) maintain certain documentation,
(ii) conduct a data protection impact assessment for more risky processing (DPAs may compile lists with the results of such assessments),
(iii) implement data protection by design and by default.
|
|
|
In certain circumstances data controllers and processors must designate a Data Protection Officer (the DPO). The DPO shall have at least the following tasks:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance;
- to cooperate with the supervisory authority;
- to act as the contact point for the supervisory authority on issues relating to processing, and to consult, where appropriate, with regard to any other matter.
According to the Regulation, the data protection officer “shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing”. The DPO will need sufficient expert knowledge. The DPO may be employed or under a service contract and also a group of undertakings may appoint a single DPO (conditional on accessibility by all), as may certain groups of public authorities. The WP29 guidance sheds some light in this subject, and it states that the DPO should be located in the EU and should report directly to the highest management level. You can access it here.
|
|
|
Under the GDPR, consent must be freely given, specific, informed and unambiguous. Requests for consent should be separate from other terms, and be in clear and plain language. A data subject’s consent to processing of their personal data must be as easy to withdraw as to give. Consent must be “explicit” for sensitive data. The data controller is required to be able to demonstrate that consent was given. Existing consents may still work, but only provided they meet the new conditions.
Here are the main rules for consent, according to the Regulation:
- Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
- If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
- The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
- When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Also, data controllers must continue to provide transparent information to data subjects. This must be done at the time the personal data is obtained.
|
|
|
The ‘One-Stop-Shop’ mechanism should provide supervision by one lead authority to companies with a presence in more than one Member State.
According to the consultancy firm PwC, a lead supervisory authority will be “the authority that the organisation contacts for compliance activity such as registering a data protection officer, notifying a risky processing activity or notifying a data security breach; also, it will handle data protection complaints relating to that organisation, conduct investigations or undertake enforcement activity relating to cross-border processing”.
But how do organisations determine their lead supervisory authority? Firstly, they have to determine their "main establishment" in the EU. In order to do that, they have to put themselves the following questions:
- Where are decisions about the purposes and means of the processing being given the final "sign off"?
- Where are decisions about business activities that involve data processing made?
- Where does the power to have decision implemented effectively lie?
Where is the Director (or Directors) with overall management responsibility for the cross border processing located?
|
|
Notification of a Personal Data Breach to the Supervisory Authority
|
|
|
GDPR states that, in the case of a personal data breach, the controller shall “without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent”. Exception from this rule is considered only those cases when the personal data breach “is unlikely to result in a risk to the rights and freedoms of natural persons”. Also, if you do not notify the supervisory authority in the 72 hours time-frame, you should present the reasons for the delay.
According to the Regulation, the notification regarding a personal data breach shall at least:
(a) describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
(c) describe the likely consequences of the personal data breach;
(d) describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Finally if it is not possible to provide the information at the same time, you can provide it in phases, but as quickly as possible. Also, you have to document every single incident and highlight the measures taken.
|
|
Sources and Further Reading
|
|
|
|
