Introduction to the new EU General Data Protection Regulation (GDPR)
Challenges and Opportunities
The new EU General Data Protection Regulation (GDPR) has been finally completed and it promises data protection rules that will remove red tape for businesses but also tighten privacy protections for users. One of the greatest challenge is that all EU member states and businesses will need to be in line with this regulation by 2018. Some questions to be answered though are what the significant changes are, what the challenges and opportunities are and how these will affect both individuals and more specifically our business world. In this article only few of the significant changes in the privacy rules are being discussed. However, the GDPR will undeniably affect the way that individuals and more specifically organisations treat, manage and maintain user (both employees’ and clients’) data.
Data breach notification
The security of the personal data is important and every organisation that processes such data needs to make sure that has established the appropriate safeguards against data loss, unauthorised access, theft, etc. Consequently, the GDPR includes a personal data breach notification rule. That is when a security breach occurs, this should be reported to the supervisory authority within 72 hours. Moreover, if this incident will lead to a high privacy risk for individuals, these individuals should also be informed of the breach.
Where the Data Protection Directive only had one requirement stating that sanctions had to be defined by the EU Member States, the GDPR details what administrative fines can be incurred for violating its articles. The fines depend on the category in which the violation befalls: For less serious violations, the maximum is €10 million or 2% of total annual worldwide turnover of the preceding year (whichever is higher); for more serious violations this goes up to € 20 million or 4%!
The GDPR strengthens the right that individuals have to control their own data. The right of portability states that an individual has the right to transport his personal data from one organisation to the next, even a competitor. Therefore organisations must provide that personal data to the individual in a structured, common and machine-readable format. It is also specified that when technically feasible, organisations should facilitate electronic transfer of personal data from one to another, if the individual requests this. This could have great effects both in procedural aspects but also in technical aspects.
Right to be forgotten
Another data subject right is the right to be forgotten. Under the new regulation, organisations that process personal data must remove all of that data if one condition of a set of six is met. The list of conditions includes when it is clear that data have been processed unlawfully and the case when a data subject withdraws previously given consent.
Organisations must keep an inventory of all personal data processed. The minimum information of what should be in the inventory goes beyond just knowing what data the organisation processes. Details should be maintained regarding the purposes of the processing, whether or not the personal data is exported along with details of all possible third parties receiving these data.
Data protection by design and by default
Primarily, it will be compulsory when designing a new system, process, service, etc. that processes personal data, to make certain that data protection considerations are taken into account starting from the early stages of the design process. Furthermore, organisations need to be able to prove that they have done so. Second, the system, process, service, etc. to be designed, shall include choices for the individual on how much personal data he shares with others.
The Role of Data Protection Officers
Organisations will have to appoint a data protection officer if they are handling significant amounts of sensitive data or monitoring the behaviour of many users. This requirements touches organisations spanning in various industries.
It must be noted though, firms whose core business activities are not data processing will be exempt from this obligation, so as to avoid creating red tape.
Confidentiality, integrity, availability of processing systems and services has always been a part of privacy legislation. The value of Data Encryption as a security measure is specifically mentioned in the text of the GDPR. Furthermore it is stressed that security should be based on a risk assessment, however not of the risks the organisation faces, but the risks that an individual’s privacy is compromised.
Approved certification mechanism
With GDRP, data protection certification mechanisms and data protection seals and marks are introduced since at it has been acknowledged by many organisations, being able to proof adherence to GDPR may lead to a competitive advantage. The GDPR even refer also to the possibility of having a common European Data Protection Seal.
It is important to distinguish that the GDPR is a Regulation, not a Directive. Where the Directive 95/46/EC was transposed into local laws in each member state, the GDPR on the other hand will be directly valid. This will be quite convenient for many organisations that operate in multiple countries within the EU since there will be no requirement to adapt in a sense, so as to comply to the various particularities and data protection requirements / directives of each member state. However, it must be noted that legislators have provided local governments the ability to add or adept provisions to fit their local data protection and particularly the local cultural habits and views.
What are the next steps?
Organisations should promptly identify how this new legislation may have an impact on their core services and daily operations. This will have different effects to organisations depending on the industry they serve. However, it must be noted that the focus should not only be in addressing the legal aspects of privacy. The GDPR stresses that organisations should be pro-active and organised in order to deal privacy matters. Most importantly, organisations should make sure that they have the technical ability to support them for this significant assignment.