GDPR – General Data Protection Regulation – The new legislation for data privacy from European Union
You probably heard about the GDPR in the news or during the discussions with compliance teams. After four years of discussion and preparation, finally in May 2018 the regulation will take effect for all companies that operate in the EU territory; however this legislation will trigger different changes in all markets around the world.
Europe is notoriously an important market for all big, medium and even small companies. This change in the data privacy requirements must be followed for all these companies, independently of their size or category. It means that if you have any business at any part of Europe, you should be careful about how you handle data from your customers, users, partners and employees.
Differences from previous legislation
The GDPR replaces the Data Protection Directives issued in 1995. The new policy is designed to harmonize data privacy across all Europe and is much straight forward than its previous version. The main changes in the policy are related to its scope, penalties and consent. Also the data subject rights are described with clear description of the obligations that must be followed by data processor and/or controllers.
There are 3 items that requires special attention:
Management of providers – 3rd part providers are also subject of the regulation. All kind of changes, manipulation, sending or receiving data to these providers must be followed and registered by the data controllers.
Notification of fails and breaches – Any fails regarding the administration of the data must be communicated within 72 hours. The impacted parties and the proper authorities must be notified and there is a specific process to follow.
Privacy by Design – Privacy by design as a concept has existed for years now, but it is only just becoming part of a legal requirement with the GDPR. The controller must implement appropriate technical and organisational measures in order to meet the requirements of this Regulation and protect the rights of data subjects. Controllers must hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to act out the processing.
In the practice the changes brought by the new legislation turns the focus on data protection much less complicated and bureaucratic, however it brings many serious consequences and penalties to those that don´t comply with it. These penalties can be in forms of fines up to 4% of annual global turnover or €20 Million, whichever is greater. This is the maximum fine that can be imposed for the most serious infringements. Actions such as not having sufficient customer consent to process data or violating the core of Privacy by Design concepts are subject to these penalties. Not having their records in order can also cost the company 2% of their annual revenue. It is important to note that these rules apply to both controllers and processors, impacting directly the cloud services providers.
Data Subject Rights
The new policy has also a list of rights that data owners and citizens are now entitled to, here are some important items to remind:
Right to be forgotten – Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data. The conditions for erasure include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.
Data Portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.
Data Protection Officers
Currently, controllers are required to notify their data processing activities with local DPAs, which, for multinationals, can be a bureaucratic nightmare with most Member States having different notification requirements. Under GDPR it will not be necessary to submit notifications / registrations to each local DPA of data processing activities, nor will it be a requirement to notify / obtain approval for transfers based on the Model Contract Clauses (MCCs). Instead, there will be internal record keeping requirements and Data Protection Officers (DPO) appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
For all the companies that maintain business with partners or customers within the EU territory, it is very important that you get prepared to attend this legislation, enforcing it to all systems that manages, retains or manipulate data at any level. This is just one of the changes foreseen for 2018 in terms of data privacy; many other regulations are expected in different parts of the globe inspired by Europe´s legislations principles.