General Data Protection Regulation (GDPR)

General Data Protection Regulation (GDPR)

Get in Touch with NAME

The General Data Protection Regulation (GDPR) came into force on 25th May 2018 with the aim of modernising laws that protect personal information of individuals while increasing rights over how people can control such information. CSB Group advises business on these regulations and the implementation of GDPR compliant business practices.

EU Data Protection Reform

In January 2012, the Commission proposed a comprehensive reform of data protection within the European Union framework. Over 4 years in the making, the European Union General Data Protection Regulation (in short referred to as GDPR) was finally approved on 14th April 2016 and published in the European Union Official Journal on 4th May 2016. The Regulation came into force on 25th May 2018 and replaced the previous Data Protection Directive 95/46/EC and all the national laws implementing it. Indeed the GDPR presents the most ambitious and comprehensive changes to data protection rules since the 20-year-old Directive.

The GDPR removed the fragmented system that was previously in place with respect data protection, and established a single law that regulates all data protection matters which law applies directly throughout the European Union territory including Malta. The introduction of these new rules has seen the EU citizens’ fundamental rights strengthened and protected.

What are the core changes in Data Protection?

It is highly recommended to look at the key changes that have been put forward through the GDPR in order to understand better the obligations and required implementations within an organisation. Here forth we shall provide an overview of these changes.

The scope behind the GDPR shall be extended for organisations that even if they are based outside the EU but are nevertheless processing personal data about data subjects that are within the EU, then they still need to be compliant with the GDPR. An organisation ESTABLISHED OUTSIDE the EU is subject to the GDPR if either it:

  • Offers goods or services to data subjects in the EU; OR
  • Monitors the behaviour of data subjects in the EU.

The GDPR brings with it stricter reporting duties when it comes to data breach. In fact, if a data breach occurs, this needs to be reported to the Data Protection Commissioner within 72hours. If the data breach is considered of a grave nature then the data breach needs to be notified without undue delay to the data subject whose data has been breached. A data breach is defined as a breach of security leading to the accidental or unlawful unauthorised access to processed personal data, destruction, loss, alteration or unauthorised disclosure.

Under the GDPR one shall notice a considerable shift when it comes to the sanctions imposed against organisations that are not compliant with the Regulation. Indeed, before the GDPR came into place, the highest fine under the Data Protection Act was that of circa €23,000. Now, one shall notice that fines shall rise considerably – up to €10million or 2% of the annual global turnover for minor breaches and €20million or 4% of the annual global turnover for more serious breaches.

Data Subjects may also sue for damages – even moral damages!

If, before the GDPR, the appointment of a data protection officer was optional in most Member States, now, under the GDPR, it is mandatory to appoint a DPO within an organisation.  Nevertheless, the GDPR outlines under which circumstances the appointment of the DPO becomes obligatory:

Data Subjects may also sue for damages – even moral damages!

  • Where the core activities of the organisation consist of processing operations which require regular and systematic monitoring of data subject on a large scale;
  • Where the core activities consist of processing of special categories of data on a large scale;
  • Where required under Member States law.

The DPO would report to the highest management level of an organisation. Once a DPO is appointed, his/her contact details need to be notified to the Supervisory Authority so that the latter would be aware who shall be the contact person between the Authority and the particular organisation with respect to issues pertaining to data protection.

Data Subject Rights already existed under the Data Protection Act. Nevertheless, these rights have been enhanced and one shall also notice the introduction of a new right – right of data portability.

Upon the request of the data subject with respect the below illustrated rights, the controller must take action within 1 month or should the request be considered complex, than the controller can take action within 3 months. The said timeframe starts running from the day the request is received.

Data Subject Rights include:

  • Right to Rectification
  • Right to be Forgotten
  • Right of Access
  • Right of Data Portability
  • Right to Restriction
  • Right to be Notified
  • Right to Data Minimisation

It is of utmost importance to realise that the GDPR puts arduous accountability requirements both on the controller and on the processor in order to not only be compliant with the GDPR, but also to demonstrate such compliance. There are requirements that need to be explicitly demonstrated whilst others are only implied such as the implementation of a data protection programme so that data protection receives the right amount of attention within an organisation.

Through the GDPR, one shall notice a variation when it comes to the data subject’s consent. Indeed, consent requirements are stricter under the GDPR. The latter states that consent needs to be given either by a statement or by a clear affirmative action which would confirm the consent thereby given. This is further confirmed when the Regulation clearly states that silence or pre ticked boxes shall not constitute consent. Thus the inactivity of a data subject shall mean that no consent has been given for the process of data.

Consent is one of the legal grounds that can be relied on for the processing of data. If an organisation decides to use the said ground to process data, then an organisation is obliged to demonstrate that the consent obtained is unambiguous, freely given, specific as well as informed.

Principles of Data Protection

Article 5 of the Regulation expounds in great detail what the data protection principles are. These principals can be summarised as follows:

  • Lawfulness
  • Accountability
  • Storage Limitation
  • Accuracy
  • Fairness
  • Transparency
  • Purpose Limitation
  • Data Minimisation
  • Integrity / Confidentiality

These Data Quality Principles must ALWAYS be adhered to in all cases. However, before one ascertains that all the principles are being complied with, one needs to determine whether the processing of personal data is lawful or not.

Lawful Grounds to Process Data

The GDPR puts a requirement on the processor whereby it is required to identify lawful grounds for the processing of data. The grounds for processing can be divided into six pillars which are:

  • Consent of the data subject.
  • The performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • The compliance with a legal obligation of the controller.
  • In order to protect the vital interests of the data subject or of another natural person.
    For the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • For the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data – particularly children.

How can CSB Group help?

The GDPR puts a requirement on the processor whereby it is required to identify lawful grounds for the processing of data. The grounds for processing can be divided into six pillars which are:

  • Closer glance at the regulatory changes.
  • Expert legal advisory service.
  • Comprehensive understanding on how GDPR shall affect your business operations.
  • Understanding the gaps in compliance and address them accordingly.
  • Recommendations shall be given on what needs to be amended in a business practices and what needs to be implemented to become compliant with the regulation.

Key Contacts

Franklin Cachia

Director - Tax & Regulated Industries



Need our assistance with risk and compliance services?

CSB Group is backed by over 30 years of experience in the business and commercial sphere. We hold the expertise needed to help you with all your risk and compliance obligations.

Smarter business
starts here.

T: +356 2557 2557

F: +356 2557 2558

E: [email protected]