Written by Grace Craus, MITA Specialist on Data Protection
The General Data Protection Regulation (GDPR) is the biggest shake up in data protection that has ever occurred and will be replacing all the national data protection laws all over Europe. The regulation was published in the Official Journal of the European Union on 4th May 2016 and will be applicable in its entirety as from the 25th May 2018.
From this date, any organisation established within the European Union that is holding, storing or using personal data will be required to comply with the new rules. The GDPR will have a significant impact upon IT. Thus, data controllers and data processors will need to think ahead about it. Below is a description of a few of the key changes which were made. However, this is not an exhaustive list.
Territorial Scope
The Data Protection Regulation applies to all processing of personal data by data controllers outside the European Union, where the processing activities are related to goods or services offered to data subjects in the European Union, or the monitoring of their behaviour. Non-European Union data controllers will be affected as the new regulation's span is wider than the current position. Offshore cloud services, 'information society' services and a host of other services will be caught through this regulation, which is also most likely to catch data processors that are not themselves based within the EU, but who have contracts with EU businesses or deal with personal data of EU data subjects.
Definition of personal data
The European Union data protection law only applies to personal data. 'Personal data' has now a broader meaning which covers also any information related to living individuals, and has specific definitions for genetic data, location data, online identifiers and biometric data. Through the new regulation, data controllers will simply have to continue finding an answer to their usual question: 'is it personal data'?
Liability for data processors
For the first time, data processors now have a statutory liability to implement appropriate security measures when processing personal data on behalf of a data controller, as well as to follow the instructions of the data controller. In addition, they have an express obligation in relation to notification of security incidents. IT and services suppliers, as well as customer organisations will all need to review their contractual arrangements and internal reporting procedures.
Consent
Through the GDPR, it will also be more difficult to obtain consent from the data subject. It is up to the data controller to demonstrate that explicit consent has been granted and that permission was freely given, through the data subject's free choice.
Article 29 Data Protection Working Party also clarifies about the word 'specific'. The controller must clearly and precisely explain the scope and consequences of the data processing in an informed and unambiguous manner. This means that for the consent to be valid, the data subject must be provided with all the relevant information to enable them to understand what they are consenting to. In some cases, consent will not provide a legal basis for processing, that is where there is a 'significant imbalance' between the position of the data subject and data controller. It is for the data controller to bear the burden of proof for demonstrating compliance, through production of appropriate procedures and policies. In addition, the data subject can withdraw their consent at any time.
Right to Erasure (Right to be forgotten)
In certain cases, data controllers are requested to delete personal data which is related to a data subject. These involve cases where the individual withdraws consent, objects to the data controller's processing of information, or where personal data is no longer needed. This controversial right to erasure or right to be forgotten in reality is a right for consumers to erase their data. However, it is still unclear how this provision will be enforced.
In the online environment, the right to erasure is also extended in such a way that those controllers which are processing personal data, can also erase any links to, or copies or replications of that personal data. In terms of the GDPR, it will be interesting to see how Data Protection Acts will interpret the decision of the Court of Justice of the European Union in Costeja (Google case).
Data portability
Through this new regulation, the data subject also has the right (where personal data is processed by electronic means and in a structured and commonly used format) to obtain a copy of the data processed in an electronic and structured format from the data controller. Data subjects also have the right to transfer their data from one controller to another; for example, to move all their account details from one service provider to another. This is not really a data protection measure as such, as it provides more rights to consumers. Service providers will need to take note of how they design their platforms to accommodate this requirement.
Breach Notification
The Regulation removes the requirement for data controllers to register with the regulator. As noted above, data controllers now have to notify the regulator of a breach within 72 hours of becoming aware of it, "where feasible". On the other hand, processors have to notify their data controller "immediately". These tight timescales will require a review of procedures for many data controllers, and for processors.
Fines
Slight changes to the GDPR were made where it concerns administrative fines for breaches of the EU data protection law. A two tier penalty system has been introduced and infringements will now be subject to administrative fines up to €20,000,000, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Infringements of the obligations of the controller and the processor (Joint Controllers), shall be subject to a fine up to €100,000,000 or up to 2% of the annual worldwide turnover in case of an enterprise, whichever is greater. This change will definitely cause organisations to view compliance with EU data protection law in a different way. For the Public Sector, the increase in the fine could lead to an unbearable cost for already stretched budgets.
Whilst there are some concessions to micro and small businesses, particularly in relation to record keeping, the GDPR applies to all organisations 'engaged in economic activities' involving the processing of personal data. One thing is clear, the next 18 months are crucial for all organisations that collect, process or store personal data to take the necessary steps to ensure that they can achieve compliance.