In January 2012, the Commission proposed a comprehensive reform of data protection within the European Union framework. Over 4 years in the making, the European Union General Data Protection Regulation (in short referred to as GDPR) was finally approved on 14th April 2016 and published in the European Union Official Journal on 4th May 2016. The Regulation shall repeal as well as replace the present Data Protection Directive 95/46/EC and all the national laws implementing it. Indeed the GDPR presents the most ambitious and comprehensive changes to data protection rules since the 20 year old Directive.
The GDPR shall remove the fragmented system that is currently in place with respect data protection, and it shall establish a single law that regulates all data protection matters which law shall apply directly throughout the European Union territory including Malta. EU citizens shall see their fundamental rights being strengthened through the introduction of new rules.
The GDPR shall introduce wide-ranging changes which require appropriate understanding, acceptance, preparation and implementation across the whole European Union territory and in all organisations that shall be subject to the Regulation.
Indeed, the GDPR shall expand its territorial scope in order to capture organisations that are not established inside the European Union. This shall only occur if two conditions are met; if the organisations offer goods or services to data subjects in the European Union or if the organisations monitor the behaviour of data subjects in the European Union. Thus the new data protection law shall start to apply to many organisations regardless of where they are established.
Organisations shall see their accountability being increased – they are obliged to inform the data subjects of their data protection rights whereby a thorough explanation is given on how the personal data is being used, for what purposes and also specifying the retention period of the said data. Organisations have the responsibility to maintain registers of their processing activities and create internal inventories. When data is considered to be a result of high risk processing activities, then a Data Protection Impact Assessment is mandatory as well as the appointment of a Data Protection Officer.
Additionally, the GDPR brings with it stricter data breach reporting. If a data breach occurs, it must be reported to the Data Protection Commissioner within 72 hours without undue delay. If the data breach is of a serious nature, than the data subject needs to be informed as well.
Moreover, a further change brought about through the GDPR, is with respect the consent given by the data subjects. Indeed, this requirement shall be more stringent whereby the consent has to be given either by a statement or by a clear affirmative action that confirms the consent given. Furthermore, the consent must be given for a specific purpose and it can be retracted at any time.
However, the largest shift marked by the GDPR is that individuals shall benefit from greatly enhanced rights such as the right to object to automated processing as well as requesting the deletion of unnecessary personal data. The data subjects shall have the right to receive a copy of their personal data in a commonly used machine-readable format and transfer their personal data from one controller to another. A data subject has also the right of access to the information that is being processed with respect his/her person.
The GDPR shall apply directly in all European Union Member States as from 25th May 2018. Non-compliance with the GDPR gives rise to significant penalties – for a minor breach a company can be sanctioned to up to ten million Euro or 2% of the annual global turnover whilst for a major breach it can be sanctioned up to twenty million Euro or 4% of the annual global turnover, whichever is higher. Hence, the media coverage a company would get through such a finding could cause significant damage to a brand.