The General Data Protection Regulation
Long awaited European data protection law finalised
What is the regulation all about?
Since the mid-1990’s, legislation that protects the information privacy of individuals in the European Union (EU) has been primarily based on the Data Protection Directive 95/46/EC. This is the legislative act that has set out the minimum standards on data protection in the whole of Europe. Each country within the EU has taken the Directive and transposed it into their own, local data protection laws. The Personal Data Act (Henkilötietolaki 523/1999) in Finland is an example of such a law.
Since the Directive has essentially not changed since 1995 and all local legislation based on it has only seen minor updates, the European Commission and European Parliament deemed it outdated to meet modern privacy needs and concerns. Therefore preparations were started a few years ago to come up with a replacement: a European data protection act that is up to date and protects individuals’ privacy in the digital world we live in today.
That data protection act has now been finalised. It is called the General Data Protection Regulation, or GDPR for short. It will replace local data protection laws, such as the ones mentioned above. The regulation will come into effect in each member state on May 25th, 2018. The clock is ticking.
The EU institutions made good on their promises to remove red tape for businesses, but also tighten privacy protections for individuals. This means privacy rules will change and organisations that deal with personal data will need to adept.
Significant changes in privacy rules
On this page we describe a number of changes associated with the GDPR. They are in no particular order. The regulation is over 200 pages in length, so what follows is a very brief summary and not meant to be an exhaustive list. Please refer to the official text as authoritative source.
Accountability and data governance
Data protection legislation in the EU has always been based on a number of principles that need to be adhered to. Lawfulness, fairness, purpose limitation and transparency are well known examples of those. The GDPR introduces a new principle: accountability. Organisations will not only be responsible for adhering to all the principles, they also must be able to demonstrate compliance. Most organisations will have to implement a wide range of new governance and risk mitigation measures.
The legislators have made good on their promise to remove red tape, as the obligation to notify local authorities of personal data being processed is gone. This has for a long time been seen as a difficult and rather bureaucratic rule, putting a large burden especially on global organisations. However, each organisation must maintain a record of processing activities under its responsibility. In other words, they must keep an inventory of all personal data being processed. The minimum information included in the inventory has been described and it goes beyond just knowing what data the organisation processes. Also included should be, for example, the purposes of the processing, whether or not the personal data is exported, and third parties the data is disclosed to.
Data protection by design and by default
Data protection by design and by default are both included in the GDPR. This basically means two things. First, it will be mandatory when designing a new system, process or service that processes personal data, to make sure that data protection considerations are taken into account – starting from the early stages of the design process. Moreover, organisations need to be able to prove that they have done so. Second, when the system, process or service includes choices for the individual on how much personal data he/she is willing to share, the default setting is the most privacy¬-friendly one (i.e., the one that says to not share any information at all). The notion of data protection by default is complemented by the data minimisation principle.
Privacy impact assessments
The GDPR introduces Data Protection Impact Assessments (DPIA) as a means to identify risks to the privacy rights of individuals. When such risks are identified, the GDPR expects that an organisation formulates measures to address them. This assessment should happen prior to the start of processing the personal data. DPIAs resemble Privacy Impact Assessments (PIAs) that many organisations already execute regularly. However, the content of PIA was never strictly defined, so perhaps this helps in getting more uniform assessments. More guidance on the proper execution of DPIA is to be expected.
The GDPR strengthens individuals’ control over their own data. One of the most significant examples of this is the right to data portability. Under certain circumstances, an individual has the right to transport his/her personal data from one organisation to the next – hence the word ‘portability’. The personal data must be provided to the individual in a structured, ‘commonly used’, and machine-readable format. And the rules also stipulate that when technically feasible, organisations should facilitate the electronic transfer from one controller to another.
Right to erasure
Another individual right that already got a lot of attention the past years is ‘the right to be forgotten’. The data subject’s right to erasure of his personal data did already exist in the Data Protection Directive but is now elevated in the GDPR. Under the new regulation, all organisations that process personal data must remove the data if one condition (out of a list of six) is met. This particular obligation received a lot of attention due to the Google v. Spain case.
Data breach notification
Every organisation should ensure that the personal data in their custody is properly safeguarded against unauthorized disclosure, loss, destruction or alteration. In other words, securing the personal data is important. So important that the GDPR includes a general privacy breach notification regime that applies to all data controllers and data processors. Controllers must report personal data breach to the supervisory authority without undue delay, and not later than 72 hours after becoming aware of it. And if the security breach is likely to result in a high privacy risk for individuals, than the affected individuals should also be informed of the breach. Data processors must report data breaches to data controllers.
The need to implement proper security safeguards to ensure the confidentiality, integrity and availability of personal data has always been a part of privacy legislation. New is that the GDPR champions pseudonymization and encryption of personal data. These measures are considered so valuable that they have been specifically mentioned in the regulation. Furthermore, it is stressed that security should be based on a risk assessment – not of the risks the organisation faces, but the risks for the rights and freedoms of individuals.
Expanded territorial scope
The GDPR aims to extend the territorial scope of the European privacy law. The regulation applies to organisations that are not located within the EU, but that offer goods or services to, or monitor behaviour of individuals in the EU. In other words, companies that provide services to EU residents via the Internet have to comply with the GDPR. This creates an interesting precedent where the rules follow the data instead of being strictly territorial.
If you are a data processor, that is, you process personal data on behalf of another organisation, the GDPR has a significant change for you in store. At the moment, the burden of compliance with privacy legislation lies with the data controller, that is, your client. The GDPR, however, will impose some obligations directly to data processors. You will get responsibilities directly under the law and will be accountable as well. Some of these new responsibilities include that a processor must appoint a Data Protection Officer and keep records of all their processing activities performed on behalf of clients. Moreover, a supervisory authority can approach processors directly with requests and demands. It is to be expected that this will shift the balance of power between controllers and processors.
One of the most controversial aspect of the GDPR is its explicit mentioning of fines. Whereas the Data Protection Directive only had one line stating that sanctions had to be defined by the member states, the GDPR exactly details what administrative fines can be incurred for non-compliance. The maximum fines depend on what the ‘category’ in which the violation occurs: For less serious violations, the maximum is € 10 million or 2% of total annual worldwide turnover of the preceding year, whichever is higher. For more serious violations, this goes up to € 20 million or 4%.
One stop shop
As a partial relief for organisations that operate across the EU, a sort of ‘one stop shop’ system for supervisory authorities in Europe will be introduced. The GDPR introduces a collaboration system between the data protection authorities. The ‘Lead Supervisory Authority’ is located in the country in which the data controller or processor has its main establishment. The Lead Supervisory Authority will be the primary authority organisations need to deal with, but under circumstances local authorities can step in as well. They need to co-operate, but it will be interesting to see how this co-operation will function in practice.
The legislators have acknowledged that for many organisations a proof of GDPR compliance will be an advantage. For that purpose, a data protection certification mechanism is introduced. The GDPR even speaks about the possibility to come to a common European Data Protection Seal. The certification mechanism is expected to develop in the coming years.
It is critical to note that the GDPR is a Regulation, not a Directive. The Data Protection Directive was transposed into local laws. The GDPR, on the other hand, will be directly valid in each member state. This will be a relief to many organisations that operate in multiple countries within the EU. Being forced to account and comply with slightly different rules can be a legal and operational nightmare. However, the GDPR the legislators have provided member states the ability to add or adept provisions to fit their local data protection needs. It is expected that that many governments will make provisions in line with the local cultural habits and views.
The next step for any organisation is to assess how the GDPR may impact them. The effect and the required effort will differ per organisation. Do not hesitate to contact us should you need support with this endeavour. We are more than happy to provide you with tailored insights and recommendations.