11 Apr GDPR Legislation on Data Protection

Introduction

“This post highlights the impact the enforcement of the GDPR will have on companies as of the 25th of May 2018 and the key obligations that corporations must comply with, in order to avoid the hefty fines associated with the reform.“

Every member state must amend their national legislation to comply with these new EU regulations. There have been many changes in the technological sector since the previous directives establishment in 1995. The GDPR’s aim is to protect all EU citizens from privacy and data breaches, proposing new regulatory policies while holding true to key principles of data privacy that were seen in the previous directive.

Changes

There are many changes in the GDPR including consent, penalties, territorial scope, breach notification, right to access as well as multiple others. The following section highlights a few of the significant changes that will be seen with this new regulation.

DPO: DPO’s or Data Protection Officers are a new addition within the GDPR. The appointment of a DPO serves as a significant new burden for organizations that fit the requirements. Affecting any organization that processes or stores data on a large-scale or whose core activities consist of processing sensitive data, for example race, ethnicity or religious beliefs (art. 37). For example, in cases in which there are more than 250 employees in a company. The DPO must be appointed based on professional qualities and expert knowledge on data protection law and practices. The DPO must also be provided with appropriate resources to carry out their tasks and report directly to the highest level of management. If your organization does not fall into the case of being a public authority, an organization that engages in large scale systematic monitoring or large-scale processing of sensitive personal data, then you do not need to appoint a DPO.

Consent: The changes to consent include an increase in the requirements for obtaining consent to use cookies. Consent must be asked for in a way that is specific, informed, and unambiguous. A key difference between consent in the previous directive and the new regulations is about continuation of use, inactivity no longer equals consent – it must be explicitly stated and not vague nor hidden.

Increased Territorial Scope: The new regulations come with a wider scope, in terms of both territory and liability. On a geographical scale, the GDPR impacts any company that has operations in Europe where the activities pertain to offering goods or services to EU citizens and the monitoring of behavior that takes place within the EU. This includes all companies handling the data of EU citizens, regardless of whether the data processing takes place in the EU or not. In relation to who is legally responsible, while with the previous regulations the data controllers assumed sole responsibility, the new GDPR puts the liability on anyone who has encounters the data, applying to both data controllers and data processors.

Stronger Data Protection Rules: New data protection rules include data breach reporting, data portability, the right to access and the right to be forgotten. Stronger data protection rules mean stronger data protection rights and as a result people now have more control over their personal data. The right to data portability is the data subjects right to receive the personal data concerning themselves as well as having the right to have the personal data transmitted directly from one controller to another (art. 20). Under the GDPR, corporations have major obligations to follow so as not to breach data subject rights. In order to acquire an individual’s data, they must file an unambiguous, legible request for consent, along with a legitimate purpose to use the data. Once obtained, that individual is entitled to data portability, data erasure which allows them to request deletion of their data unless the company has a legitimate reason to keep it and the right to access. The right to be erasure (or the right to be forgotten) enables the data subject to have the data controller erase their personal data as well as stop the further spreading of the data and halt the processing of it from third parties (art. 17). Breach notification is now mandatory in all member states and must be done within 72 hours of becoming aware of said breach. The data processers are also now required to inform both their costumers and controllers of this breach without “undue delay.” These new rights introduced by the GDPR are in an effort to encourage data transparency, while exerting more pressure on large data processing companies to create an effective system to control and record data processing.

Who Does This Affect

The GDPR will not only apply to companies and organizations inside the EU, it will have a far-reaching impact throughout the world. While EU member states are required to comply with the new regulations, any organization outside of the EU that processes or holds the personal data of data subjects residing in the EU must comply as well, regardless of said organizations location.

In order for a country outside of the EU to receive data, the underlying principle is essentially that they must have a similar set of data protection results. The European Commission has to issue an adequacy decision based on whether the third country’s data protection regime is ‘adequate’ enough (art. 44). If the third country is not deemed ‘adequate’, there are other data transfer mechanisms in place such as standard data protection contractual clauses, codes of conduct and certification mechanisms and BCRs.

Penalties

Another big change brought forward with the new data protection regulations in the GDPR is in the area of penalties. In the event of non-compliance, data abuse or violation of a data subject’s rights, as well as other areas of misconduct, the new GDPR exercises hefty consequences. The most serious penalty totals a cost of €20 million or up to 4% of a companies’ annual global turnover (whichever is the greater amount).

Conclusion:

With the first round of audits anticipated in May 2018 (two years after the regulation entered into force), companies are expected to have taken the appropriate measures in order to comply with the GDPR. These audits carry considerable weight, due to the hefty fines associated with the reform. Examples of companies outside of the EU who are getting on board with these new regulations to avoid penalties given for the use of EU citizens data are both Facebook and Google. Both companies are taking steps to increase their privacy settings and inform their users before the GDPR comes into effect on May 25th. It is important for corporations to get a handle on the scale of data they have and take the correct steps to make sure their privacy policies are all GDPR compliant, regardless of if they are located within the EU.