On the 4th of May 2016 the new General Data Protection Regulation (GDPR) was published. Since it concerns a regulation, the GDPR will be directly applicable in all member states without the need for implementing a national legislation. It will not apply until the 25th of May 2018. However, it contains some onerous obligations, many of which will take time to prepare for. It is therefore necessary to start preparing now in order to be ready by the 25th of May 2018.
The goal of the GDPR is to ensure a better protection of personal data of individuals. The GDPR will have an important impact on companies and more in particular on the relationship between an employer and an employee. An employer will have to take into account the obligations under the GDPR each time personal data of an employee are processed (f.e. e-mails, address details or evaluations).
Hereunder we summarize some of the highlights in the GDPR:
Expanded territorial reach
The GDPR catches data controllers and processors outside the EU whose processing activities relate to the offering of goods or services (even if for free) to, or monitoring the behaviour (within the EU) of, EU data subjects. Many will need to appoint a representative in the EU.
This means in practice that a company outside the EU which is targeting consumers in the EU will be subject to the GDPR, which is not the case currently.
Data Protection Officers
The GDPR introduces the Data Protection Officer (DPO) which should be appointed by data controllers and processors in the following circumstances :
processing is carried out by a public authority,
in case the processing requires a considerable observation of the data subject,
in case of the processing of personal data concerning criminal conviction,
The DPO requires sufficient expert knowledge. The DPO will have to provide advices and monitor implementation of the GDPR. He will be the contact for the Supervisory Authority.
Role of data processors
The GDPR has considerably expanded the obligations of the data processors, who will have direct obligations for the first time. These include an obligation to:
Maintain a written record of processing activities carried out on behalf of each controller
Appoint a DPO where required
Appoint a representative (if not established in the EU) in certain circumstances
Notify the controller on becoming aware of a personal data breach without undue delay.
As in the past a data subject’s consent to process their personal data is required. However under the new GDPR the consent must be explicit and the consent to process must be as easy to withdraw as to give.
Where personal data are processed for direct marketing, the data subject will have a right to object. This right will have to be explicitly brought to their attention .
Fair processing notices
As in the past, a data controller must provide transparent information to data subjects at the time the personal data is obtained, but the requirements in the GDPR are much more detailed than those in the current Directive. For example, the information to be provided is more comprehensive and must inform the data subject of their rights and the period for which the data will be stored.
Data breach notification
Data controllers must notify the Supervisory Authority within 72 hours of awareness of a data breach. A reasoned justification must be provided if this time frame is not met. If the data breach could be detrimental to the data subject the data controller must also notify the affected data subjects without undue delay.
It is very important that companies check if they are acting in accordance with the new GDPR to avoid the fines which the supervisory authority can impose. Some infringements would attract a fine up to the higher of 10.000.000 euro or 2 % of the annual worldwide turnover.
For serious breaches there is a fine of up to the higher of 20.000.000 euro or 4 % of the annual worldwide turnover can be imposed.
Removal of notification requirements
A welcome change for data controllers is a removal of the requirement to notify or seek approval from the Supervisory Authority in many circumstances. Instead of general notification, the policy now is to require data controllers to put in place effective procedures and mechanisms focusing on more high risk operations and carry out a data protection impact assessment to consider the likelihood and severity of the risk, particularly with large scale processing.
Data subjects’ rights
The new GDPR contains many stringent rights of data subjects. These include for example a right to require
information about data being processed about themselves, access to the data in certain circumstances, and correction of data which are wrong.
There is also a right to restrict certain processing and a right to object to their personal data being processed for direct marketing purposes. Individuals can also ask to have their personal data returned in a structured format so that it can easily be transferred to another data controller. (This is known as “data portability”).
Individuals are allowed to require from the data controller to erase their personal data without undue delay in certain situations, such as where they withdraw consent and no other legal ground for processing applies. Alongside this the data controller is also obliged to take reasonable steps to inform third parties that the data subject has requested erasure of any links or copies of that data.
The data controller must respond to these requests from the data subject for information within a month, with a possibility to extend this period for particularly complex requests.
What you should be doing now to prepare
Inform key figures and policy makers about the upcoming changes. They must estimate what the effects of the GDPR will be for the company or organisation.
2. Data register
Identify what personal data you keep, where they come from and with whom you share it. Register your processing. You might have to organise an information audit for this.
Communication : Evaluate your existing privacy statement and plan any necessary changes in view of the GDPR.
3. Rights of the data subject
Check if the current procedures in your company or organisation provide all the rights that the data subject concerned can appeal to, including how personal data can be removed or how information will be communicated electronically.
4. Request for access
Update your existing access procedure and consider how requests for access will be treated by the new terms in the GDPR.
5. Legal basis for processing personal data
Document different type of data processing you perform and identify the legal basis for each of them.
Evaluate the way you request, obtain and register consent, and change where necessary.
Develop systems that check the age of the data subject and that request permission from the parents or guardians for the data processing of under aged children.
8. Data breaches
Provide adequate procedures to detect, report and investigate personal data breaches.
9. Data protection by design and data protection impact assessment :
Familiarize yourselves with the concepts “data protection by design” and “data protection impact assessment” and look at how to implement these concepts in the operation of your company or organisation.
10. Data protection officer
If necessary appoint a DPO or someone who bears responsibility for compliance with data protection rules. Determine which place this person will take within the structure and policy of your company or organisation.
Determine under which Supervisory Authority you will fall if your company or organisation is active internationally.
12. Existing contracts
Evaluate your existing contracts, mainly those with processors and subcontractors, and make the necessary changes in time.
Full text of the GDP Regulation: link
If you want more information / advice on the General Data Protection Regulation (GDPR), please contact email@example.com.