The General Data Protection Regulation (GDPR) entered into force on the 27th of April 2016 (article 99 of the GDPR). However, it will not be applicable until the 25th of May 2018. As a European regulation the GDPR will be directly applicable in all EU Member States (no transposition to national law needed).
“Article 3: Territorial scope
1. This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not
2. This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law”.
In this article we will analyze GDPR most important innovations respective the previous directive (Data Protection Directive (95/46/EC)). Companies should consider that some of these innovations will imply important updates of their data protection policies.
INNOVATIONS OF THE GDPR:
Information provided by the controller:
When personal data is collected, companies, as controller, must provide certain information to the subject source of such data.
GDPR provides that controller will deliver information about:
- Identity and contacts details of the controller
- Identity and contact details of the data protection officer (DPO), where applicable
- Purposes of processing and its legal basis
- If there is any intention to transfer the personal data to a third country (and the existence of absence of a decision of the Commission on the respective country. I.e.: Privacy Shield (USA))
- For how long the personal data will be stored and the applicable criteria to determine such period
- Subject’s rights: access, rectification, erasure, restriction, objection and portability.
- Right to withdraw consent
- Right to file a complaint before the authority
- If the providing of the personal data is necessary to enter into a contract
- Existence of automated decisions
All this information must be duly provided to the subject at the moment of the personal data collection: website, contract, forms, etc.
Responsibilities of the controller
“Article 24 Responsibility of the controller:
- Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.
- Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller”.
The GDPR provides that controller must be the one responsible to decide about the adequate measures regarding the safety of the personal data. Instead of providing certain general measures to be applied, the GDPR binds companies to evaluate risks they are exposed to, and combine with the kind of personal data under control, decide which technical and organisational measures must be taken. Besides, companies must ensure and be able to demonstrate that all processing of personal data is being properly performed by constantly checking the functioning and effectiveness of their data protection policies.
Another essential concept brought by the new GDPR is the requirement of data protection by design and by default.
In first place, data protection by design compels companies to collect and process all personal data “to implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects”.
With data protection by default, companies “shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons”.
Ultimately, the new GDPR expands engagement of companies with the protection of personal data under their responsibility at every stage and continuously of the process.
Notifications of personal data breaches
In the second case, communications must be carried out when a breach involves risks for rights or freedoms of natural persons (i.e. right of private life, right of images, etc). Companies must inform without delay in clear and easy language, including consequences of the breach, measures taken, and contact detail of the person in charge of data protection for further information.
However, subjects will not need to be contacted if:
– Measures were taken before the breach to ensure that compromised data would stay unintelligible to anyone not authorised,
– Controller managed to take measures to ensure rights and freedoms are not at risk,
– Notification to every data subject will be a disproportionate effort. In this case a public communication must be made, being sure it reaches equally all subjects affected.
This obligations will have a great impact on companies’ data protection culture. The fact that breaches will be made public could affect to the credibility and therefore results of affected companies.
Data Protection Officer
Designation of a Data Protection Officer (DPO) will be mandatory for data controller when core activities consist of processing operation which their purposes require regular and systematic monitoring of data subjects on large scale.
However, the GDPR mentions that any processor or controller may (and in my opinion this is a recommendation) designate a DPO.
A DPO must be designated by their professional qualities, specially their expertise on data protection law and skills to be able to:
“Article 39: Tasks of the data protection officer
a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
c) to provide advice where requested as regards the data protection impact assessment and monitor its performance;
d) to cooperate with the supervisory authority;
e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation and to consult, where appropriate, with regard to any other matter”.
In order to ensure the DPO can fulfil their mission, companies must ensure, properly and accurate involvement to all matters related to data protection. Companies must support their DPO and provide all necessary resources to carry out the above-mentioned tasks and in any case, provide instructions of how to proceed.
The new GDPR also updated the penalties resulting from the infraction of its provisions. Infringements of basic principles of processing, including conditions to consent; data subject rights, transfer of personal data; obligations for specific processing situation (Chapter IX of the GDPR); or no compliance with an order from the supervisory authority will be:
“subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher”.