The General Data Protection Regulation (GDPR), (Regulation (EU) 2016/679) is an EU regulation which focuses on the protection of individuals with respect to the processing of their personal data, ensuring that personal data enjoys a high level of protection throughout the EU. The enforceability of the GDPR as from May 2018, will impact a number of businesses and organisations which will face a new challenge and should achieve GDPR compliance to meet the new obligations imposed. It is of utmost importance that businesses are adequately prepared for the upcoming changes in order to avoid hefty penalties.
Applicability of the GDPR
The GDPR, applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
‘Personal Data’ under the GDPR, has an extensive definition and means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Principles of Data Protection
Article 5 of the GDPR sets out the principles of processing of personal data and stipulates that data must be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Article 5(2) requires that
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Some of the significant changes which the GDPR will bring are the following:
Changes to the Consent Model
Under the GDPR, the conditions for consent have become more stringent. Consent may not be inferred but rather businesses should request consent in an easily accessible form and it should be clear to the individual, the reason as to why the data will be processed. Moreover, individuals shall have the right to withdraw consent whenever they want in an easy and simple manner.
All businesses processing the personal data of data subjects will now be obliged to follow the same stringent rules. Indeed, the GDPR applies to all companies processing personal data of individuals residing in the Union, regardless of the company’s location. In the event that the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour takes place within the EU, then the GDPR is also applicable. Businesses not established in the EU, processing the data of EU citizens will also have to appoint a representative in the EU.
Organisations will be fined up to €20 million, or 4 per cent of their global turnover (whichever is greater), for serious violations such as failing to obtain consent to process data or a breach of privacy by design and for lesser violations, such as records not being in order or failure to notify the supervisory authorities, fines of 2 per cent of global turnover will be incurred.
Privacy by Design
This right is already in existence but the regulation provides necessary recognition and enforceability to the requirement that businesses must design policies, procedures and systems compliant with the GDPR provisions, from the start of any process or product development.
Where a personal data breach takes place, there is an obligation on the data controller and data processor to notify the regulator without undue delay, which is later defined as no later than 72 hours from the moment that the data controller or data processor became aware of such breach.
Data Subject Rights
Under the GDPR, an individual has the following rights:
Right to be Informed: Individuals have the right to be given information with respect to how their data is being processed and why their data is being processed.
Right to Access: Data subjects have the right to know whether their personal data is being processed, where and the purpose for processing. Furthermore data subjects may request the controller to provide a copy of their personal data, which the data controller is obliged to provide, free of charge, in an electronic format.
Right to Rectification: Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
Right to Erasure/ Right to be forgotten: The Data Subject may request the data controller to erase personal data as well as to cease further dissemination of the data and also inform third parties to stop the processing of the data.
Right to Restrict Processing: Restriction is applicable when an individual disputes data accuracy, objects to processing (based on legitimate interests) when the processing is unlawful and the individual requests restriction and when the controller has no further need for the data but the individual requires the personal data to establish exercise or defend legal claims. If personal data is ‘restricted’, then the controller may only store the data and may not further process the data unless in specific circumstances established in the GDPR.
Right to Portability: The right which the GDPR introduces is the right for a data subject to receive the personal data concerning them, which they have previously provided in a commonly used and machine-readable format and have the right to transmit that data to another controller.
Right to Object: Under the GDPR, individuals have the right to object in specific cases. Once an objection is made, data must not be processed. A right to object exists where the processing is for direct marketing purposes, were the processing is for scientific/ historical research and statistical purposes unless the processing is necessary for the performance of a task which is being carried out for reasons of public interest. The right to object in case the individual has a particular situation and objects to the processing of data on the basis of that situation.
Rights in Relation to Automated Decision Making and Profiling: The GDPR gives individuals rights that relate to automated decision taking, based on automated processing including profiling and hence a decision which is taken without human intervention. In such cases, an individual can give written notice so that decisions using their personal data are not taken in an automated way, and to reconsider a decision which is taken by automated means. Individuals should be informed when such a decision has been taken.
Data Protection Officer (DPO)
The Regulation also envisages that there must be a Data Protection Officer in certain cases such as when the core activities of data controllers and processors consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
The GDPR sets out that a DPO:
- Should be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices;
- Can be a staff member or an external service provider and must be provided with adequate resources to carry out their tasks;
- Must have contact details provided to the Data Protection Authority;
- Must report directly to the highest level of management; and
- Must not carry out other tasks which could result in a conflict of interest.
Should you, or your business, be interested in the data protection regime and the implications of the GDPR, please contact Dr Alexia Magro or Dr Dirk Urpani from the legal team within our International Client Services arm.