The General Data Protection Regulation: on your marks, get set, go!
This is the post Snowden era – an age of caution where the EU has sought to bring data protection laws into the modern age. Admittedly, avoiding George Orwell’s vision of the future is a true challenge. To better regulate technology and the way we do business, Regulation 2016/679 (the General Data Protection Regulation, GDPR) builds on Directive 95/46/EC (the Directive) and addresses various blind-spots in data protection laws under the former directive with the aim of bringing the up to date especially with new technologies.
The GDPR will impact those undertakings and individuals in the EU who collect and process personal data, as well as other entities doing business in the EU, even if these are based abroad (data controllers). Enforcement of the GDPR starts on May 2, 2018 and data controllers need to be in conformity with all the legislative requirements by then.
Noncompliance is treated extremely seriously: penalties, depending on the nature of the breach of any of the GDPR, have been introduced for data breaches, which can be up to €20 million or 4% of the controller’s worldwide annual turnover, whichever is the higher.
Understanding and Complying with the GDPR
The GDPR raises a number of key issues that data controllers should consider, including the following:
Principles of Data Protection: Matters such as the principles of data protection, the requirement for consent of the data subject, and the concept of full processing remain, although some principles, such as the obligation for data controllers to prove valid consent, have imposed additional compliance requirements on data controllers.
Rights of Data Subjects Some rights of data subjects are strengthened by the GDPR, such as the right to object, while some new rights have been introduced, for instance, the right to data portability (from business to business upon request), and rights of individuals in profiling activities by data controllers.
Compliance Obligation Data controller compliance obligations and accountability has increased. The GDPR imposes on controllers obligations such as the requirement to have an internal register of data processing activities, and the requirement to have in place privacy policies. Organisations may also be required to appoint a data protection officer who is formally tasked to ensure that data controllers comply with their responsibilities under data protection.
Privacy by Design: Privacy by design means that when a new business venture or process is being considered, protection of privacy of individuals whose data is involved has to be considered from inception and a data protection impact assessment would need to be drawn up. This would ensure that the process is organised in such a way that only the necessary personal data required for the operation is used.
Data Breach Notification: In the event of a breach of data protection processes and/or security, a controller must notify the supervisory authority of the breach within 72 hours after having become aware of it (notification after 72 hours is possible if the delay can be justified). Furthermore, when the breach is highly prejudicial for data subjects, the controller is also expected to notify data subjects of the breach without undue delay.
The above are but a few of the measures under the GDPR to ensure that personal data is better safeguarded in the future.
The Malta IT Law Association is a voluntary organisation established to promote the advancement and development of IT.