After more than four years of discussion, the new framework for the protection of personal data in the EU was adopted on April 8, 2016. The General Data Protection Regulation (GDPR) will replace the current Directive (Directive 95/46/EC for the private and most of the public sector and Council Framework Decision 2008/977/JHA) on the protection of personal data and will be directly applied in all member countries of the European Union. The regulation starts on May 25, 2018 and will have an immediate effect, since it contains a number of obligations for organizations. The adoption of the GDPR marks a new milestone in the EU legislation on the protection of personal data. To help organizations prepare for the new legislation, a Working Party of Article 29 (WP29), composed of representatives from the Data Protection Authorities (DPA) of the EU member states, has started developing clarifications on various aspects of the GDPR.
Let us figure out the essentials we need to know.
Expansion of the Territorial Jurisdiction:
GDPR not only applies to organizations located within EU but will also apply to organizations located out of EU if they offer goods or services to, or monitor the behavior of EU data subjects. In other words legislation applies to all organizations processing and holding personal data or data subjects residing in the EU regardless the company’s location.
Reporting and Confidentiality:
The GDPR imposes specific responsibilities on data inspectors. In particular, they are required to:
- Maintain only necessary documentation;
- Upgrade their systems accordingly to save personal data and generate access only if necessary;
- Assess the impact of the processing of personal data on the rights of data subjects (individuals) for more risky types of processing (the list of such operations is compiled by the DPA);
- Implement data protection at the structural level, using the data minimization approach;
- Consider option of reporting and consequences.
The Role of Data Processors:
One of the most important innovations of the GDPR is that for the first time, data compilers are directly responsible for:
- Keeping a record of all personal data processing operations on behalf of all participating data controllers;
- Appointing, if necessary, the data protection inspector;
- Appointing an EU representative (if the principle does not have representation in the EU) and;
- Without delay, notifying the data controllers about detected leaks of personal data;
Individual Consent for Processing of Personal Data:
- Should be given freely
- Should be clear and explicit
- Should give clear consent for processing or transferring purposes for specific timeframe
- Can be withdrawn any time
- Has right to anonymity
The Conscientious Processing of Data:
Data controllers are obliged to provide the data subjects (individuals) with:
- Transparent information regarding the legal way of collection of necessary data
- Transparent information about data processing and relevant security
- Clear information for purpose of collection, transferring and keeping data;
- Clear information for timeframe keeping such data;
The Role of Data Protection Officer DPO:
Required only for the below cases:
- For public authorities (courts are excluded)
- For monitoring of data subjects on a large scale for specific personal data
- For large-scale processing of personal data of specific categories or data relating to convictions or accusations of criminal offenses
- For organization larger than 250 employees
Responsibilities of DPO:
- To inform and consult company and employees
- To monitor compliance with the Regulation and other regulatory requirements
- To assign responsibility, responsibility for education, awareness
- To provide advice on impact assessment and its implementation
- Contact point with Data Protection Commissioner
The GDPR established multi-level sanctions for violations of the data protection law that allow the DPA to impose fines for some violations in the amount that reaches the highest of two figures: 4% of the organization’s annual worldwide turnover or € 20 million – Other violations can result in a fine in the sum of 2% of the annual worldwide turnover or €10 million
How do companies prepare for the new legislation?
- Prepare for data leaks Create a reporting system Implement data protection at the structural level Analyze, on what legal bases you use personal data Check your privacy and privacy notices Remember the rights of data subjects If you are a provider, check to see if you have any new duties as a handler Cross-border data transfer
“If you think compliance is expensive, try non-compliance”
European legislation on the protection of personal data defines two main subjects – “supervisors” and “processors”:
“Supervisor” means a person or company, an official organization, an agency or other body that independently or jointly with others determines the purpose and means of processing personal data; in the case where the purpose or means of processing are determined by national legislation or Community rules, the controller abides by such rules and reports to the relevant authorities.
“Processor” means a person or company, an official authority, an agency or other authority that processes personal data on the instructions of the controller.