Navigating the new EU Data Protection Rules
by Tara Taubman-Bassirian
The General Data Protection Regulation, or “GDPR” – “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC. – was published 4 May 2016. Enforceable after a grace period of two year, from the 28th of May 2018. What made the headlines was the maximum fines of up to 20 million € or 4% of annual global turnover.
The text is a major reform of Data Protection Directive. An evolution but not a revolution. With the aim of introducing harmonisation, Some of the major changes are :
– mandatory reporting for data breaches, to the Data Protection Authority and if risk to data subject, within 72 hours,
– heavier sanctions, with significant new fines: Maximum fines of €20 million or 4% of annual global turnover per breach (a dramatic increase from the current typical maximum of less than €1 million).
– extra-territorial jurisdiction : businesses outside the EU will be subject to the GDPR, if they are offering goods or services to, or monitoring the behaviour of, EU residents (currently they are only caught if they operate data processing equipment in the EU). See further on this below.
– the one-stop-shop,
– Organisations will have to formally appoint an independent Data Protection Officer, where, according to the Art 37 ;
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.
– revised consent, a higher standard required to be express/opt-in (a ‘clear affirmative action’) whereas, under the previous regime, implied/opt-out consent is sometimes sufficient.
– No more registration for data controllers. Instead, they are required to maintain internal records of their processing activities (for disclosure on demand to Data Protection Authorities), However, the registration and fees were maintained in the UK.
– Processor liability: data processors (i.e. businesses processing personal data solely for and on the instructions of data controllers) will have direct regulatory obligations/liability.
– data protection impact assessments featuring as key aspects. If the results of the assessment indicate a high risk, obtain a prior review by the relevant Data Protection Authority. The accountability principle gives some homework to organisations to demonstrate to lead risk assessments and keep registers.
EU countries had to consequently modify their national legislations with few options for exceptions.
The UK situation of adequacy is pendant to the Brexit.
Additional sources :Survey: “most commonly taken steps to prepare for GDPR”G
Publication in ITsecurity.co.uk : Still in Denial of the Tough New Privacy Law #GDPR? UK data protection and BREXIT.