General Data Protection Regulation, what will change after 25 May 2018?
The European Union will be adopting an onerous and strict common regulation concerning data protection and the ability of organisations to collect and process data for the purposes of their business.
The General Data Protection Regulation (GDPR) was published in April 2016 and will apply from 25 May 2018. This new regulation will change substantially the legal landscape in the data protection area.
In opting for a regulation instead of a directive, the EU wanted to provide a common and binding body of rules for each EU member state.
No further national legislation is needed to make this regulation law in their national systems.
If the member states are authorised to adopt additional data protection rules, the common core will be the GDPR.
Consequently, in Luxembourg the national law of 2 August 2002 concerning personal data will be repealed after 25 May 2018.
Scope of the regulation and extra-territoriality
The GDPR concerns almost everyone; only private individuals are exempt.
Public authorities, associations, large companies and SMEs are impacted by the new rules.
The GDPR is applicable when the processing of personal data is done by controllers or processors in the EU, but is also equally applicable to parties processing EU residents’ data outside the EU.
Data processors and controllers situated outside the EU processing EU residents’ data should pay particular attention to Article 3.2 of the Regulation and assess the requirements stipulated by Article 27 of the Regulation to appoint a Data Protection Officer (DPO) and Data Protection Representative (DPR) within the European Union.
Innovations and rules
- Lawfulness, fairness and transparency
Concerned people are entitled to receive complete information about the treatment of their data.
Data collection and processing has to be lawful, which means:
- the controller or processor received clear and intelligible consent (the conditions for consent have been strengthened by the GDPR);
- the processing is necessary for the performance of a contract between the data subject and the controller; and
- processing is necessary:
- for compliance with a legal obligation;
- in order to protect the vital interests of the data subject;
- for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
- for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
- Purpose limitation
The data must be collected for a limited, determined purpose and kept for no longer than is absolutely necessary.
- Data minimisation
Only strictly necessary information may be collected and treated for a lawful purpose.
Data must be correct and updated.
- Integrity and confidentiality
Data must be treated in an appropriate manner to ensure confidentiality and security.
The data controller must follow these principles when establishing internal procedures.
Rights given to data subject
The most important right is for the subject to be comprehensively informed. The subjects still have the right to oppose the processing of their data.
In addition, the subject may request that data be erased.
Duties and obligations imposed on the data controller and processor
The data controller determines the purposes and manner in which personal data is to be processed and show the supervisory authority that all the rules are respected.
Controllers must keep a register of the procedures, contracts, information given to concerned people, and maintain the highest levels of confidentiality to safeguard individual privacy.
Any DPO must be qualified and independent to undertake the necessary confidentiality protocols for all bodies that collect or process EU residents’ personal data.
DPOs are responsible for educating the company and its employees on important compliance requirements, training staff and conducting security audits.
Before collecting any data, the controller shall determine:
- the reason for such an operation;
- which personal data are collected;
- how long the data is kept;
- where it is stored; and
- how the controls work.
The data subject must receive all information on those issues.
Non-compliance and penalties
In case of non-compliance with these obligations, companies expose themselves to fines up to the higher of 4% of annual worldwide turnover or EUR20 million.
Therefore, data protection regulators will have the power to impose high fines on entities which do not comply with the new regulation.
Note that regulators may “carry out investigations in the form of data protection audits”, and “obtain access to any premises of the controller and the processor, including to any data processing equipment and means” in line with relevant procedural law.
In Practice, companies must:
- put in place internal processes regarding data protection;
- determine the needs, list the required data, explain the reason why, where and who is authorised to see them;
- ensure that all the aspects of data protection are included in their internal policy;
- establish data breach procedures;
- draft new documentation in order to comply with the regulation;
- check the outstanding contracts and, if necessary, submit changes to your partners;
- prepare a register concerning data protection, including all the documentation, given consents, breaches and contracts;
- appoint a DPO and/or DPR if necessary;
- create internal compliance audits to ensure their entity complies with the new rules;
- encourage and train personnel to comply with the above-mentioned rules; and
- broadly take the view that GDPR carries high litigation risk.