Coming into force from May 2018, the EU General Data Protection Regulation (the “GDPR”) will profoundly alter the way businesses and consumers look at the data they hold. Being informed about why it’s coming into play and what the regulation is solving will help both organisations and individual citizens understand how they should approach data protection.
The purpose of the GDPR is to harmonize data privacy laws across Europe, protect and empower all EU citizens data privacy and reshape the way organisations across the region approach data privacy. Personal data is flowing throughout the world and hence it can be regarded as a valuable asset which need to be safeguarded.
This email is being sent to you as a source of information on the main matters which the GDPR will bring about which will/might impact your company and to also provide you with a summary of the next steps forward which can be undertaken by your company. lecocqassociate can help you in this process and hence we will be more than willing to receive your feedback.
Main changes brought about by the GDPR
The following are the main changes brought about by the GDPR in comparison with the previous data protection legislation:
Territorial Scope – the GDPR applies to all companies processing personal data of data subjects residing in the EU, regardless of the location of the company. Hence non-EU established organisations will also be subject to the GDPR to the extent they process the personal data of individuals in the EU in relation to (i) offering goods or services to those individuals in the EU, or (ii) monitoring their behaviour within the EU;
Penalties – These have increased substantially. Violation now carries a fine of up to either 4% of the annual turnover or EUR 20 million, whichever is the greater;
Consent – the GDPR strengthens the conditions for consent as companies will no longer be able to use long and illegible terms and conditions as the request of consent has to be given in an intelligible and easily accessible form. The request for consent must be clear and distinguishable from other matters. The use of clean and plain language is a must when requesting consent;
Breach Notification – This will become mandatory in all member states of the EU where a data breach is likely to result in a risk for the rights and freedoms of individuals. This breach notification must be made to the relevant authorities within 72 hours of first becoming aware of the breach;
Right to Access – Data subjects have a right to obtain, from the company, confirmation as to whether or not personal data concerning them is being processed, where is it being processed and for what purpose. The company shall provide a copy of the personal data, free of charge, to the data subject in an electronic version;
Right to be Forgotten – Data subjects have the right to request the company to erase his/her personal data, cease further dissemination of data and potentially have 3rd parties halt processing of his/her personal data. This can be requested in line with the conditions listed in Article 17 of the GDPR;
Data Portability – Data subjects have the right to receive the personal data concerning them which they had previously provided in a commonly use and machine readable format and have the right to transmit that data to another controller;
Privacy by Design/ by Default – There shall be implemented appropriate technical and organisational measures in an effective way in order to meet the requirements of the GDPR and to protect the rights of data subjects. This is an obligation of the company who is to process only the personal data necessary for the completion of its duties;
Data Protection Officers – The appointment of a Data Protection Officer is a requirement in any case where (i) the processing is carried out by a public authority/body except for courts; (ii) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale or (iii) the core activities of the controller or the processor consist of the processing personal data relating to criminal convictions and offences. The Data Protection Officer to be appointed should satisfy the below conditions
– Must be appointed on the basis of professional qualities and expert knowledge on data protection law and practices; – May be a staff member or an external service provider; – Provide contact details to the relevant data protection authority; – Be provided with appropriate resources to carry out their tasks and maintain expert knowledge; – Report directly to the highest level of management; and – Must not carry out any other task that could result to conflict of interest.
Data Protection Policy – A data protection policy needs to be drafted for each entity; and
Conduct a Data Protection Impact Assessment – Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the company shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
The below is the action plan which an entity has to take to be compliant with GDPR:
Draft a Data Protection Directive;
Conduct a Data Protection Impact Assessment to identify high risks to the privacy rights of individuals when processing their personal data. This control should take place prior to the processing of personal data;
Appointment of Data Protection Officers (if required in line with the above-mentioned requirements); and
Include disclosure language and amend affected agreements– this is to be included in the offering documents, as applicable to the structure of your company, and any agreements in place to the extent relevant.