Is your company GDPR compliant? 25 May deadline looms for sweeping EU data protection requirements

Helena Grech Saturday, 19 May 2018, 11:30 Last update: about 7 years ago

The General Data Protections Regulation (GDPR) is far reaching legislation intended to protect the data of citizens within the European Union (EU). The GDPR is a move by The Council of the European Union, European Parliament, and European Commission to provide citizens with a greater level of control over their personal data. The Malta Independent sat down with Delloitte’s legal advisor Inger Cini to get a run-down on how companies may cope with the upcoming changes.

This sweeping law cuts through all sectors, industries and service provision within the EU. Of note is this law’s extra-territorial effect as companies outside the EU dealing with data of citizens within the EU must also be compliant, and are subject to hefty fines.

GDPR was approved by the European Parliament on 14 April 2016. The EU has provided for a two-year transition period for organisations to become compliant. The deadline is now fast approaching with companies being subject to the new requirements as of 25 May. Fines for non-compliance are either four per cent of group profits or €20 million, whichever is higher.

Personal data covered by the GDPR range from names, photos, e-mail addresses, social media posts, IP addresses, banking information and anything that is specifically connected with a particular individual. All businesses, services, entities and agencies that provide services to the public deal with personal data in one shape or another.

Delloitte’s legal advisor Inger Cini shed some light on how businesses and entities need to rethink their use of data.

Data rethought

“In the past, data protection never used to be enforced or subject to huge law suits and it was undermined across the board. There were already some similar requirements within the old data protection directive implemented in EU member states, however companies did not go for the compliance which they ought to have.

“In the beginning of this two year grace period, companies have been taking the new requirements quite lightly.”

Cini remarked that once the first law suits and the ensuing fines are imposed, it is likely that more companies will realise the implications of this legislation.

“We have some case law from the past, mainly to do with data subjects’ rights, with the most famous one being Google in relation to the right to be forgotten.

“I think with the new set-up, companies can actually have lawsuits between themselves - like a controller suing the processor by claiming that data was not processed in the way it was instructed to.”

The GDPR strengthens the concepts of data controllers and data processors. A data controller is a central figure when it comes to protecting the rights of the data subject (a.k.a. the individual).

The data controller, as its name implies, controls the overall purpose and means, or the ‘why’ and ‘how’ the data is to be used.

Organisations that process data on behalf of the controllers are known as the data processors.

“Before it was just the controller who was responsible, now with the new regulation the processors now have responsibility too. You can even have joint controllers.

“If you use cloud services, the cloud providers are already processers of your own data. You could have processers that would have never thought of themselves in that way.”

Training personnel to be compliant

“There is an obligation coming out from the law itself for human resources employees and any other employees which handle sensitive data to be specially trained. In our case, like with other corporate services companies, it would mainly be in the HR department. Organisations like a health clinic have practically all personnel handling sensitive data

“Of course, since it is such a far reaching law, we need to have everybody trained because even in client engagements they need to be aware of certain things when they receive inquiries.

“In my case, I receive around one or two queries per day asking if as a company we are GDPR compliant or other GDPR related issues.

“The training, although we are lucky having the setup of a global firm, has already commenced for staff specifically on privacy and confidentiality. They are trained in the generic notions of privacy but we must go deeper and provide more in depth knowledge. We started with very small groups and now we must roll this out to the rest of the staff. Another thing to consider is that this is an ongoing obligation so while it is time consuming this is not a just a one-off exercise.

Do professionals see this as a huge change or have the concepts already been in place?

“I think it is a big change because we are living in what is being called the fourth industrial revolution. I think this is actually part of it. We are not used to data having a value, or data needing to be protected in a certain manner. Yes, it undeniably it looks huge for most companies.

“It is big and it is not – there are some aspects of it that are really far ranging. This law is very generic and cuts through all sectors in all industries, so you cannot really have a one size fits all approach. It is a very high level law. Until you get down to how it can be applied in the various areas, it will look even bigger, especially considering some areas are extremely grey.

“For example, in the financial services industry we are all always working through e-mail. With the new law data subjects are empowered to request that their data is completely removed from the records of a particular company. It is practically impossible to ensure this with so many e-mails sent and received in a day. It is hard to give a 100 per cent guarantee everything has removed.

How easy will it be to enforce GDPR?

“We rely heavily on, which is encouraged, the data protection commissioners, to issue guidelines that are sector specific.

“Data is so precious and can be abused so easily that their needs to be safeguards, and this is why the fines for non-compliance are so large.

“Even though our data protection commissioner has taken a soft approach in the past, they might have their arm twisted to comply by external data protection commissioners.

Extra-territorial law

“The UK Information Commissioner’s Office is extremely active which is interesting because the UK is moving out of the EU. What is interesting is that this is the first time the EU will have an extra territorial reach. Any service provider from outside the EU who services clients outside the EU is subject to this legislation. This is extra-EU territorial reach which could be a first.

“The law tries to give the individual all the power possible to push for their rights. They tried to make it as easy as possible for the data subject to launch complaints and take action. There are also provisions on protective actions by NGOs who can represent groups for free. They tried to give the data subject as much power as possible to manage their data.

“What the EU regulator is saying is that initially they will go for what was already regulated by the previous data protection directive, so they won’t go for any new clauses introduced by the regulation. They will go for what companies should have already had in place in accordance with previous directive.”