GDPR related challenges and opportunities related

The EU's General Data Protection Regulation (GDPR) entered into force as of 24 March 2016, and after two years of preparations it is directly applicable as of 25 May 2018 without any further member state action. The main reasons for adopting the GDPR is harmonising the rules of Directive 95/46/EC among the member states, modernising the rules and facilitating a more efficient protection of personal data. Also, the GDPR considers and facilitates digital trends and the internal market development of digital economy, and aims to reduce the administrative burden of law enforcement bodies.

Today, data is the greatest asset of a company processing personal data. A significant part of the data of a company processing data is personal, which is not only owned by the organisation handling it, but also by the individual concerned.

However, setting up the appropriate data security practices and data protection procedures, as well as compliance with the effective regulations at all times is the obligation of the entity processing the personal data.
Data protection requires consciousness from all parties, and the rules must be observed in the course of processing all client, employee or other third party (e.g. vendor, non-client beneficiary of a client contract) related personal data, product development, technology process, reporting etc. To this end it is not enough to introduce rules, technology controls, logging and tests, corporate culture itself should facilitate the development and use of conscious data processing practice.

n our experience, implementation of the above, and compliance with the GDPR is only possible if the entity processing personal data has a coordinated data security and data protection strategy, allowing adoption of regulatory changes in its activities. Meeting the GDPR requirements is not merely a question of legal compliance and may not be limited to the modification of policies and statements, but requires a strategy harmonised on company level.

Below you will find a summary of some significant changes related to GDPR.

Accountability as the "super principle"

Retaining the well known principles of data processing, GDPR introduces a new one, which is treated as the "super principle" of accountability. Under the principle of accountability, the controller is responsible for ensuring the fundamental rights of data subjects to the protection of their personal data by developing the appropriate rules, processes and mechanisms, and they must be able to demonstrate such compliance to the authorities at any time. Therefore, the new regulation requires increased consciousness from controllers, which imposes significant extra burden on them compared to the currently effective regulations.

Records of processing activities

GDPR no longer requires that data processing should be reported to the data protection authority, but it stipulates that controllers and processors shall keep up-to-date records of all data processing. To this end, companies must be aware of their data processing activities and prove compliance with GDPR upon the request of the authority in line with the principle of accountability. This requires a regularly updated data asset inventory, the thorough understanding of such inventory, recording who are processing what type of data and where, including data relationships and data cancel mechanisms.

Data portability

Data portability is introduced by the GDPR as a new capability, further strengthening the individual's right of disposal over their personal data. Accordingly, the individual is entitled to obtain his personal data from a controller – if the legal basis for processing is the individual's consent, or the data were transferred under a contract – and to use or transfer them to another controller (even a competitor of the first controller) at its own discretion. The above right imposes a burden on controllers as in case of automated data processing, they are obliged to deliver the personal data upon the individual's request in a widely used, machine readable, interoperable format, i.e. they must have the technical equipment required for this.

Right-to-be-forgotten

Another novelty of GDPR is the introduction of the "right-to-be-forgotten" in law. Please note that is has always been possible to request that the controller shall delete and make unsearchable some personal data. However, controllers often rejected to do this (e.g. citing public interest), and deleted content was still available after cancellation. Under the right-to-be-forgotten, GDPR introduces a new obligation stating that if a controller has published personal data, then upon request they are obliged to delete such data in a way that they also make all reasonable efforts to cancel and make such data inaccessible through other controllers too (including duplicates of the data and links to them).

Built-in data protection

Under the principle of built-in data protection, for the purpose of setting the technical and organisational conditions for data processing, the controller shall at all times consider the current status of science and technology, the costs of implementation, the nature, scope, circumstances and aim of data processing, and shall also take into account risks related to the personal data, identify and assess such risks and take all the measures necessary to minimise them.
In principle this means to companies that GDPR requirements must be taken into account as early as developing products and services involving personal data handling, i.e. in the development cycle, especially rules pertaining to pseudonymisation, data minimisation, transparency and control. Please note that built-in data protection applies to the full data processing cycle, i.e. to IT development, such as patches and updates.

Data protection impact assessment

Pursuant to the GDPR, as a general rule the controller must perform a data protection impact assessment before commencing data procession if data processing is presumed to involve considerable risk regarding the rights and freedoms of natural persons. Risks involved in personal data processing may be considered high if it may lead to physical monetary or non-monetary damage, especially if the result may be the theft or abuse of identity, monetary loss, harm to goodwill, unauthorised release of pseudonymisation or any other significant economic or social damage, or if the individuals concerned are prevented from exercising their rights and freedoms. The data protection impact assessment is meant to identify risks before starting the data processing activity and to take all measures to mitigate such risks.

The GDPR specified that an impact assessment is required in the following cases:

• decision making based on automated data processing related to natural persons (e.g. profiling, use of scoring systems),
• use of large volumes of special personal data, and
• large scale, regular surveillance of public areas.

In addition to the above cases, national data protection authorities are entitled to define the range of data processing activities where impact assessment is mandatory.

Reporting a personal data breach to the data protection authority

The currently effective Act CXII of 2011 on Information Self-determination and Freedom of Information ("Information Act") also prescribes a recording obligation to control measures related to data protection incidents and to inform the individual concerned. In Hungary the reporting of data breach incidents has only been obligatory so far for electronic communication services providers.

An important change is that the GDPR has extended this obligation to all controllers. As a general rule data breaches must be reported to the supervisory authority within 72 hours from the time the controller learns about the incident. If the data breach is presumed to represent high risk to the rights and freedoms of natural persons, then the controller shall inform the individual concerned without any unreasonable delay.

Data protection penalty

The GDPR harmonises the extent of the data protection penalty by defining two categories and listing various breaches under each category.

More serious breaches include the breach of data protection principles, and the rules of consent, the rights of the individuals and the rules of forwarding of personal data to third countries. The maximum penalty for the above breaches is increased to EUR 20 million from the current HUF 20 million, or for organisations processing personal data the penalty is maximum 4% of the worldwide revenue of the previous financial year, whichever is higher.

Less serious breaches include the breach of rules pertaining to data minimalisation, obtaining a child's consent, general requirements pertaining to controllers and processors, data protection rules, rules pertaining to data breaches and data protection officers. In this case the maximum penalty is EUR 10 million, or for organisations processing personal data the penalty is maximum 2% of the worldwide revenue of the previous financial year, whichever is higher.

An important change is that the GDPR extends the scope of the penalty to processors, too.

Data protection officer

As opposed to the Information Act, the GDPR extends the obligation to appoint internal data protection officers. All controllers are required to appoint data protection officers if the company's main activity includes data processing which – by nature, scope and/or aim – requires the regular, systematic and large scale surveillance of the individuals (e.g. profiling), or where special personal data are processed. This provision requires several controllers in various industries to appoint data protection officers. As a general rule, the position of the data protection officer may be subcontracted.

National rules of implementation

Although the GDPR intends to introduce a unified regulation in all EU member states, it allows member state deviations in more than 50 aspects. It will be sufficient for multinational companies to be in contact with one national authority in the future (one-stop-shop principle) by way of simplification.

How to proceed?

The first step to prepare for the GDPR is to understand who process what data how and through what processes at the company. Then it must be assessed how the changes will affect the company's operation, product development, service provision in terms of business, strategy, finance and technology.

Deloitte's approach is not limited to the legal and/or technological aspects of GDPR compliance. We regard GDPR as a strategic opportunity where compliance is only one aspect, and the transparency of data, protection of integrity, and optimisation of processes all contribute to a more efficient and competitive organisation.

Deloitte's experts have unrivalled experience and professional skills in the field of privacy and data security. Contact us to see how we can assist your business in the GDPR preparation.