GDPR: Gathering Data? Prepare to Regulate!
GDPR: Gathering Data? Prepare to Regulate!
Today, the General Data Protection Regulation (GDPR) has come into force. The GDPR is a fundamental step towards enhancing citizens’ fundamental right to privacy, reinforcing the EU’s internal market and in promoting business by streamlining standards for companies operating within the Digital Single Market.
Understanding the upcoming legal framework is vital, since international consistency around data protection laws is crucial to both businesses and individuals, especially given the immense risk of cyber-attacks and online security threats in this ever-growing digital economy. The GDPR will repeal the Data Protection Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The new law focuses on self-regulation and thus, both companies and individuals must ensure that they are compliant with the GDPR.
The Regulation provides individuals with more control over how their personal data is processed and makes such data more accessible. The new changes actively consider the necessity of protecting personal data irrespective of where such data is processed, stored or ultimately sent. The GDPR streamlines data protection rules and curtails the burden of dealing with the different Member State data protection laws. Moreover, businesses, organizations and firms will be able to reduce the extra administrative costs relating to the interpretation of data protection law pertaining to different Member States.
The GDPR has widened its territorial scope by extending its jurisdiction to include all companies which handle personal data and its processing, which data belongs to data subjects in the European Union. The Regulation has extended the law’s applicability to the processing of all personal data by Controllers and Processors in the EU, regardless of where the processing of data actually occurs. Furthermore, it also covers the processing of data by Controllers which are not based in the EU in cases relating to the offering of goods or services to EU citizens and the monitoring of behavior which is carried out in the EU.
The following overview provides a breakdown of the key provisions introduced by the GDPR and a number of recommended action points which GVZH Advocates can assist you with.
Obligations of Data Controllers
With respect to the notion of accountability, in terms of the GDPR, the Controller is accountable for, and must be able to show that it is adhering to the principles on the protection of personal data. The concept of accountability will encourage Controllers to take on a more pro-active approach. Unlike the Directive, the GDPR goes a step further and provides more detailed guidance as to how organizations can show that their data processing is legitimate and justifiable.
Further importance is now being given to the security of the data being processed. The GDPR increases the burden on “high risk” processing, which relates to activities such as surveillance, analytical assessments, or the processing of special categories of data. In the aforementioned instances, an organization conducting such activities is obliged to prepare a comprehensive privacy impact assessment.
The GDPR has also brought about changes with respect to records relating to processing activities. Controllers employing more than 250 persons or processing “high risk” data are now duty-bound by law to retain records of their processing activities and to present such records to Data Protection Authorities upon request.
- Ensure that the Controller is aware of its responsibilities in relation to its data processing activities.
- Ensure that the Controller has implemented the appropriate security measures in respect of each of its processing activities and data security policies is in place.
The GDPR encourages transparency between the Data Controller and the data subject. Upon collection of personal data, the Data Controller must provide a specific list of information to the data subject. This information includes, inter alia, the purpose for which the personal data is collected as well as the legal basis for such processing, the recipients of such personal data and the rights of the data subject.
- Update any privacy policies currently in place
- Review and update data protection clauses in employment contracts
- Ensure that data protection information notices are provided upon collection of personal data (e.g. in job applications and forms)
Obligations of Data Processors
order to understand the entirety of the obligations imposed on a Data Processor, one must first understand the definitions of Data Processors and Data Controllers. A data controller is an individual whose role is to determine the reasons for which and the way in which a subject’s personal data is processed. Processing of personal data is defined widely as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” A Data Processor is therefore a natural or legal person who undertakes processing of personal data on behalf of the Data Controller.
One of the most notable changes in the GDPR is that Data Processors are now presented with a set of straightforward obligations. For instance, Data Processors are to establish technical and logistical measures to deal with any data breaches and they should also ensure swift notification to the Controller about any such breach. Therefore, both Processors and Controllers must ensure that they have secure data processing systems in place. Moreover, the relationship between a Controller and a Data Processor must be regulated by a binding contract which should clearly set out the rights and obligations of both parties in relation to the provision of the processing services.
The principle of accountability not only applies to Controllers but also to Processors. As mentioned above a Processor is responsible for establishing a wide-ranging set of measures to protect data which may be subject to high risk and a Processor is bound to notify the Controller of any data breaches.
- Draw up clear policies and good practice procedures to ensure an efficient reaction and notification procedure in the event of a data breach.
- Review policies to ensure that an organization’s practices are in line with the required standards.
- Ensure that all Controller-Processor relationships are regulated by a written agreement which is GDPR-compliant.
Data Protection Officers
Currently, Controllers are obliged to notify local Data Protection Authorities about their data processing activities, which, for particularly large companies, can be a time-consuming task and a highly complex matter since most Member States having different notification requirements. Under GDPR this notification process is no longer in place. Instead, a DPO will be appointed only by those Controllers and Processors whose core activities include processing operations which require consistent and methodical monitoring of data subjects.
In terms of the GDPR, the Controller is accountable for, and must be able to show that the principles of data protection are being adhered to. This will encourage Controllers to take on a more pro-active approach. Moreover, on the whole, the Controller is charged with the responsibility of establishing the most suitable and logical technical standards to guarantee and to show that the activities relating to the processing of personal data are in line with the requisites imposed by the GDPR.
- Provide regular staff training in order to ensure that employees understand their data protection rights and obligations.
- Appoint a designated data protection representative within the Company who will deal with data protection matters.
New Rights for Data Subjects
The concept behind this most recent addition is that organizations and businesses must not only comply with the GDPR but must also be able to show their compliance. This is to be done through organizational and administrative measures which will illustrate a businesses’ adherence, such as the creation or enforcement of internal policies and assessments. All actions undertaken by an organization which relate to the processing of data belonging to data subjects, must be founded on the principles of transparency, governance and accountability.
Data Breach Notifications
Data Controllers and Data Processors are now obliged to comply with a general personal data breach notification regime. Moreover, data subjects are now to be notified by the Data Controller whenever a breach of security of their data is likely to “result in a risk for the rights and freedoms of individuals”.
In terms of the GDPR, requirements relating to data subject consent are significantly more specific. This means that a request for consent must be presented in a clear and unambiguous manner and consent must also be distinguishable from other written agreements. Once a request for consent is presented, the individual must provide his consent in an affirmative manner. Consent may be sought by any suitable method enabling a freely given, specific and unambiguous indication of the data subject’s intentions. The data subject has the right to withdraw his/her consent at any point in time.
Right to be Forgotten
Also known as Data Erasure, an individual can request for data pertaining to him/herself to be erased, if the data is no longer relevant or if the data subject him/herself is withdrawing his/her consent. Such requests are taken into consideration by the data controller, who must respond to such requests within 30 days.
- Establish a practice of monitoring, reviewing and assessing data protection procedures.
- Keep data processing and data retention to a minimum, whilst providing for inbuilt safeguards and data retention periods.
- Establish data breach procedures.
- Ensure that any relevant agreements and terms and conditions are updated accordingly.
- Review how consent is sought, recorded and managed.
Failure to adhere to the GDPR will result in hefty fines. Merely processing data without the instructions of the Data Controller or processing personal data of a child without the necessary parental consent can attract a fine of up to 2% of total global annual turnover or €10m (whichever is the higher). On the other hand, more serious breaches will lead to more serious fines; unlawfully processing someone’s personal data or restricting the data subject from his rights to erasure of personal data can lead to a fine equivalent to 4% of the annual global turnover of said organisation, or €20 million, whichever is greater. Hence, adherence to the GDPR through self-regulation is key.