In January 2012, the Commission proposed a comprehensive reform of data protection within the European Union framework. Over 4 years in the making, the European Union General Data Protection Regulation (in short referred to as GDPR) was finally approved on 14th April 2016 and published in the European Union Official Journal on 4th May 2016. The Regulation shall repeal as well as replace the present Data Protection Directive 95/46/EC and all the national laws implementing it. Indeed the GDPR presents the most ambitious and comprehensive changes to data protection rules since the 20 year old Directive.
The GDPR shall remove the fragmented system that is currently in place with respect data protection, and it shall establish a single law that regulates all data protection matters which law shall apply directly throughout the European Union territory including Malta. EU citizens shall see their fundamental rights being strengthened through the introduction of new rules.
What are the core changes in Data Protection?
It is highly recommended to look at the key changes that have been put forward through the GDPR in order to understand better what needs to be prepared and implemented within an organisation. Here forth we shall provide an overview of these changes.
The scope behind the GDPR shall be extended for organisations that even if they are based outside the EU but are nevertheless processing personal data about data subjects that are within the EU, then they still need to be compliant with the GDPR.
An organisation ESTABLISHED OUTSIDE the EU is subject to the GDPR if either it:
- Offers goods or services to data subjects in the EU; OR
- Monitors the behaviour of data subjects in the EU.
Reporting Data Breaches
The GDPR brings with it stricter reporting duties when it comes to data breach. In fact, if a data breach occurs, this needs to be reported to the Data Protection Commissioner within 72hours. If the data breach is considered of a grave nature then the data breach needs to be notified without undue delay to the data subject whose data has been breached. A data breach is defined as a breach of security leading to the accidental or unlawful unauthorised access to processed personal data, destruction, loss, alteration or unauthorised disclosure.
Sanctions for non-compliance
Under the GDPR one shall notice a considerable shift when it comes to the sanctions imposed against organisations that are not compliant with the Regulation. Indeed, before the GDPR came into place, the highest fine under the Data Protection Act was that of circa €23,000. Now, one shall notice that fines shall rise considerably – up to €10million or 2% of the annual global turnover for minor breaches and €20million or 4% of the annual global turnover for more serious breaches.
Data Subjects may also sue for damages – even moral damages!
Appointment of a Data Protection Officer (DPO)
If, before the GDPR, the appointment of a data protection officer was optional in most Member States, now, under the GDPR, it is mandatory to appoint a DPO within an organisation. Nevertheless, the GDPR outlines under which circumstances the appointment of the DPO becomes obligatory:
- Where the core activities of the organisation consist of processing operations which require regular and systematic monitoring of data subject on a large scale;
- Where the core activities consist of processing of special categories of data on a large scale;
- Where required under Member States law.
The DPO would report to the highest management level of an organisation. Once a DPO is appointed, his/her contact details need to be notified to the Supervisory Authority so that the latter would be aware who shall be the contact person between the Authority and the particular organisation with respect to issues pertaining to data protection.
Rights for Data Subjects
Data Subject Rights already existed under the Data Protection Act. Nevertheless, these rights have been enhanced and one shall also notice the introduction of a new right – right of data portability.
Upon the request of the data subject with respect the below illustrated rights, the controller must take action within 1 month or should the request be considered complex, than the controller can take action within 3 months. The said timeframe starts running from the day the request is received.
Data Subject Rights include:
- Right to Rectification
- Right to be Forgotten
- Right of Access
- Right of Data Portability
- Right to Restriction
- Right to be Notified
- Right to Data Minimisation
Increase in Accountability
It is of utmost importance to realise that the GDPR puts arduous accountability requirements both on the controller and on the processor in order to not only be compliant with the GDPR, but also to demonstrate such compliance. There are requirements that need to be explicitly demonstrated whilst others are only implied such as the implementation of a data protection programme so that data protection receives the right amount of attention within an organisation.
New Consent Requirements
Through the GDPR, one shall notice a variation when it comes to the data subject’s consent. Indeed, consent requirements are stricter under the GDPR. The latter states that consent needs to be given either by a statement or by a clear affirmative action which would confirm the consent thereby given. This is further confirmed when the Regulation clearly states that silence or pre ticked boxes shall not constitute consent. Thus the inactivity of a data subject shall mean that no consent has been given for the process of data.
Consent is one of the legal grounds that can be relied on for the processing of data. If an organisation decides to use the said ground to process data, then an organisation is obliged to demonstrate that the consent obtained is unambiguous, freely given, specific as well as informed.
Principles of Data Protection
Article 5 of the Regulation expounds in great detail what the data protection principles are. These principals can be summarised as follows:
- Storage Limitation
- Purpose Limitation
- Data Minimisation
- Integrity / Confidentiality
These Data Quality Principles must ALWAYS be adhered to in all cases!! However, before one ascertains that all the principles are being complied with, one needs to determine whether the processing of personal data is lawful or not.
Lawful Grounds to Process Data
The GDPR puts a requirement on the processor whereby it is required to identify lawful grounds for the processing of data. The grounds for processing can be divided into six pillars which are:
|Consent of the data subject.|
|The performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.|
|The compliance with a legal obligation of the controller.|
|In order to protect the vital interests of the data subject or of another natural person.|
|For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.|
|For the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data – particularly children.|
How can CSB Group help?
The GDPR introduces a lot of changes within the legal landscape of data protection which changes will require corporate restructuring and the introduction of new internal policies. In this respect, CSB Group can offer the following services:
- Closer glance at the regulatory changes.
- Expert legal advisory service.
- Comprehensive understanding on how GDPR shall affect your business operations.
- Understanding the gaps in compliance and address them accordingly.
- Recommendations shall be given on what needs to be amended in a business practices and what needs to be implemented to become compliant with the regulation.