Are you prepared for GDPR?
After over four years of discussion, the new EU data protection framework has finally been adopted. It takes the form of a Regulation – the General Data Protection Regulation (GDPR). The GDPR will replace the current Directive and will be directly applicable in all Member States without the need for implementing national legislation. It will not apply until 25 May 2018. However, as it contains some onerous obligations, many of which will take time to prepare for, it will have an immediate impact.
The following are the key changes for Data Controllers and Processors contained within the GDPR (in no order of priority):
- Accountability – While the Data Controller is still primarily responsible for compliance, the Data Processor can be held equally liable in some circumstances. The Regulation also recognises the possibility of two or more Controllers sharing liability where they share the processing of the data;
- Privacy by Design – Data Controllers are required to consider the privacy implications of any substantial change to data processing, and to build privacy-friendly structures into their solutions;
- Privacy Impact Assessments – the Regulation introduces an obligation to conduct risk-based assessment of projects to ensure that any processing of personal data anticipates and mitigates risks.
- Increased Fines – Controllers and Processors prosecuted for being in breach of the legislation face fines of up to €20m or 4% of annual turnover – details on these penalties still need to be fully defined;
- Data Protection Officers – organisations which meet defined criteria will be obliged to appoint a DPO as the ‘go-to’ person within the organisation with responsibility for DP compliance. The criteria include public authorities, organisations processing large volumes of Sensitive Personal Data, and processing which involves systematic monitoring of large groups of people;
- Data Portability – Data Subjects should be able to move their data freely and efficiently from one organisation to another, e.g. when changing service providers, etc.;
- Age of Consent – Controllers offering social media services to children (those under the age of 16) will have to demonstrate that they have parental consent before processing. Individual EU Member States may however individually lower the age requiring parental consent to at least 13 years old.
- Nominated Representative – organisations based outside the EU must have a representative based in any EU jurisdiction in which they operate or in which they process the personal data of EU citizens.
- Territory – The Regulation will apply to any organisation based outside the EU which processes the personal data of EU citizens – a major change and one which is of particular interest to international organisations doing business in the EU.
- “One-Stop Shop” – Since there will be one Regulation in effect across the 28 Member States of the EU, the supervisory authority (DP Commissioner) of the State where the Data Controller has their main establishment will have authority to determine their compliance with the Regulation;
- The Right to be Forgotten – Unless Data Controllers have a lawful justification for keeping their data, the Data Subject is entitled to demand that their data be removed and no longer processed;
- Data Breach Notification – Data Controllers must maintain a log of data breach incidents, and must notify the Supervisory Authority within 72 hours of becoming aware of the breach. When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the Controller must also notify them of the personal data breach “without undue delay”.
- Privacy as a Vendor Selection Criterion – the Controller should use only Processors who can provide sufficient guarantees in terms of their expert knowledge, reliability and sufficient resources to guarantee the security of processing;
- Clear and Affirmed Consent– the data subject must give clear consent to the processing of private data, thus giving individuals more control over the processing of their own personal data, especially for direct marketing purposes. Silence, pre-ticked boxes or inactivity will not constitute consent. Finally, the data subject will have the right to withdraw his/her consent at any time.
- Secondary Purposes for processing – organisations will not be allowed to collect data for one stated purpose and then use it for another without first notifying the Data Subjects.
- Plain Language – Information about intended processing should be given in clear language before the data is collected. Substantial, overly-technical and inaccessible “small print” privacy policies which confuse Data Subjects will not be permitted.
- Registration – There is no longer a requirement to register with the Supervisory Authority in the jurisdiction in which the Data Controller is established – this is replaced by the obligation to keep and maintain logs of PIA’s, data breach incidents and any other aspect of data management.
Art. 24 Responsibility of the controller
Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.