eolas provides an overview of the General Data Protection Regulation (GDPR) which will come in to force for all EU member states from May 2018.
Described as “the most important change in data privacy regulation in 20 years”, GDPR will replace the Data Protection Directive 95/46/EC for all member states on 25 May 2018 with the aim of harmonising data privacy laws across Europe, protecting and enhancing all EU citizen’s data privacy and reshaping the way organisations approach data privacy.
Although the fundamentals of the original regulation will remain in place, there are some key changes adapting to a world that is increasingly data-driven.
These include the extension of jurisdiction of GDPR. Where as previously territorial applicability of the directive was ambiguous, the regulatory of GDPR now applies to all companies processing the personal data of EU data subjects, regardless of a company’s location. “GDPR makes its applicability very clear – it will apply to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The regulation will also apply to non-EU data processors handling the data of EU citizens, specifically in relation to offering goods or services and the monitoring of behaviour that takes place within the EU.
GDPR also brings with it the weight of heavy non-compliance fines. Those who administer serious breaches could be liable for the maximum fine of up to €20 million. There is a tiered approach to less serious offences, an example listed by the EU commission is the taking of 2 per cent of a company’s annual turnover for not having records in order or for failing to notify both the supervising authority and the data subject of a breach.
In offering greater protection to the citizen, GDPR aims to strengthen consent. Unlike presently, where companies have been able to use legalese to discourage detailed scrutiny by a data subject, the new regulation states that: “Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form, using clear and plain language.” Importantly, stronger consent guidelines mean that it must now be as easy to withdraw consent as it is to give it.
The rights of the data subject have been greatly enhanced. Breach notifications will now become mandatory and be done within 72 hours of awareness, where there is a risk to “result in a risk for the rights and freedoms of individuals” in all member states. Data processors will also have to notify the controllers without undue delay.
Citizens will have greater access to the data being held on them, being able to freely request from data controllers whether their information is being processed, where and what for. Personal data can be obtained in electronic format.
Leading on from the greater transparency and empowerment of data subjects, is the right to be forgotten. Under the new regulation data subjects can request the data controller to erase personal data, cease dissemination of data and potentially have third parties halt the processing of data. However, a request to erase data will be weighed up against the public interest in the availability of data.
Privacy by design, although already common, will become a legal requirement under GDPR and ensure that data protection becomes core to system design rather than an addition to it. It will also enforce data minimisation, ensuring that controllers only hold and process the necessary data for its duty and limiting the access to those needing to act out the processing.
GDPR removes the need for controllers to notify local Data Protection Agency’s with their processing activity and instead internal record keeping requirements have been increased. The appointment of a Data Protection Officer (DPO) will now be mandatory for those controllers and processors “whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences”.
More information on the role and need of a DPO can be found on page 124 of this report.