A. Introduction
Globalization has rapidly and radically increased the ease in which data may be collected, stored and transmitted. The current Directive (95/46/EC) is out dated and does not correspond to today's needs. Various reasons has led to the increased need for a united legal framework in relation to the protection of personal data, including the rapid technological developments, the excessive use of the internet, the use of internet banking, social media and more importantly the ease in which personal data are now made publicly available.
The new regulation on general data protection, 2016/679 (the "GDPR") has been adopted by the European Parliament in April 2016 and will come in full force and directly applicable to all Member States on the 25th of May 2018. GDPR will abolish any other legislation and aims to set a unified legal framework in order to ensure adequate protection of physical persons in relation to the processing of their personal data, in conjunction with the rapid technological developments.
GDPR covers data processed both by automated means and data collected and stored as part of non-automated filing systems/ manual systems.
B. Scope of GDPR
GDPR applies when:
- the controller or the processor is established in the European Union (the "EU"), regardless of whether the processing takes place in the EU or not;
- the data subjects are in the EU, the controller or processor is not established in the EU and the processing activities relate to offering goods or services or the monitoring of the data subject's behavior which takes place within the EU; and
- the controller is not established in the EU but in a place where Member State law applies by virtue of public international law.
This is arguably a great change, as GDPR now applies to all companies processing the personal data of data subjects residing in the European Union, regardless of the company's location.
C. Key Changes
GDPR creates a uniform legal basis by promoting the same duties and liabilities in all EU member states. GDPR enhances the existing rights of data subjects/individuals, but also introduces new ones, such as:
- The right to be provided with information;
- The right of access;
- The right of rectifications;
- The right to be forgotten;
- The right to object;
- The right to data portability;
- The right to object to automated decision-making, including profiling;
- The strict requirement of the existence of a valid consent by the data subject/ individual.
Consent is considered valid only if it is freely given, informed, specific, unambiguous and clear either in writing or oral with regards to the processing of personal data related to the data subject/individual.
D. Applicability / Next steps
GDPR is applicable to government organizations, public and private companies which collect, process and transmit personal data related to their clients, employees, associates etc. Organizations and companies, while ensuring compliance with the basic principles of GDPR, must also:
- Assess their current data systems, policies and procedures;
- Identify risks involved with such current policies and procedures;
- Ensure that personal data are collected for a specific reason;
- Ensure that such personal data are processed only for the reason they were collected;
- Ensure that reporting of any breach of GDPR is communicated to the Commissioner for Data Protection;
- Store such personal data only for the minimum period required, always having received the consent of the data subject/individual;
- Adopt internal policies and implement measures such as minimizing the processing of personal data, pseudonymising personal data, enabling the data subject/individual to monitor the data processing etc.
E. Data Protection Officer
An organization, public or private companies are obliged to appoint a Data Protection Officer shall be appointed where such organization/company (the controller and the processor) fall within one of the three following provisions of GDPR:
- it is a public authority or body, except for courts acting in their judicial capacity;
- their core activities require regular and systematic monitoring of data subjects on a large scale; or
- their core activities consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
The Data Protection Officer assumes the tasks of advising, monitoring internal compliance and cooperating with the supervisory authority and is bound by secrecy and confidentiality.
F. Fines
It is important to stress that GDPR provides for severe administrative fines in the event of non-compliance with its strict provisions. Breaches of some provisions by businesses, could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater. For other breaches, the authorities could impose fines on companies of up to €10 million or 2% of global annual turnover, whichever is greater. The organizations, public/private companies must make substantial efforts to comply with the provisions of GDPR as the severe fines imposed for non-compliance are comply are warning.
G. Conclusion
The GDPR aims to increase the level of control over the information related to data subjects and protect them from privacy and data breaches. It also aims to ensure that data controllers and processors are safe custodians of data through promoting behaviour change. All companies and organizations must now examine the way they collect, store and process personal data and put in place procedures, policies and practices in order to ensure compliance with the scope of GDPR and avoid the severe consequences and fines provided for by GDPR.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.