Over 4 years in the making, the EU General Data Protection Regulation (GDPR) was finally approved on 14 April 2016 and published in the EU Official Journal on 4 May 2016.
The GDPR will apply directly in all EU Member States from 25 May 2018. It will repeal and replace Directive 95/46EC and its Member State implementing legislation and will result in new requirements regarding the processing of personal data.
The scope of the GDPR is expanded to include companies based outside the EU that are processing personal data about persons who are in the EU. Where the data controller or data processor is not established in the EU but is now within the scope of the GDPR, the data controller or data processor must designate in writing a representative in a Member State.
The concept of accountability is at the heart of the GDPR rules: it means that organisations will need to be able to demonstrate that they have analysed the GDPR’s requirements in relation to their processing of personal data and that they have implemented a system or programme that allows them to achieve compliance.
This document summarises the key components of the GDPR – it should be noted that this is only a simplified summary.
Glossary of terms
Freely given, specific, informed and explicit consent by statement or action signifying agreement to the processing of their personal data.
A person or body, alone or jointly, which determines the purposes and means of processing personal data.
An entity which processes the data on behalf of the data controller.
A natural person whose personal data is processed by a data controller or data processor.
A Data Protection Officer – whose appointment is obligatory under the GDPR where: (i) processing is carried out by a public authority; or (ii) the “core activities” of a data controller / data processor either: (a) require “the regular and systematic monitoring of data subjects on a large scale” or; (b) consist of processing of special categories of data or data about criminal convictions “on a large scale”.
Any information relating to an identified/ identifiable, natural person, a ‘data subject’. A data subject is a natural person, who can be identified, or is identifiable, directly or indirectly.
PIA (Privacy Impact Assessment)
The GDPR imposes a new obligation on data controllers and data processors to conduct a Data Protection Impact Assessment (otherwise known as a Privacy Impact Assessment, or PIA) before undertaking any processing that presents a specific privacy risk by virtue of its nature, scope or purposes. Chapter IV Section 3 sets out a non-exhaustive list of categories of processing that will fall within this provision.
This is defined widely to cover any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means. Examples of processing include the collection, recording, organisation, storage, use and destruction of personal data.
Supervisory Authority (in Sweden)
The Data Protection Authority (Sw: Datainspektionen)
All the requirements of the Personal Data Act, except the obligation to notify the Data Inspection Board that you are handling personal data, are retained in the GDPR. The GDPR will involve, inter alia, the following changes:
- The GDPR requires organisations to implement measures to reduce the risk of non-compliance with the GDPR and to demonstrate that data protection is taken seriously.
- Data controllers and data processors are obliged to appoint a Data Protection Officer in certain circumstances, such as: (a) where the core activities of the organisation consist of processing operations which require “regular and systematic monitoring” of data subjects i.e. persons on “a large scale”; or (b) where the core activities consist of processing of special categories of data regarding persons on a “large scale”. Data protection officers are required to report directly into the highest management level of the organisation.
- The GDPR formalises the requirement to carry out privacy impact assessments (PIAs) in certain circumstances. Specifically, data controllers must carry out privacy impact assessments where a type of processing is likely to result in a high risk for the rights and freedoms of individuals.
- Data subject rights have been enhanced under the GDPR including a new right of data portability and an enhanced right of erasure. Under the GDPR, data controllers will see their obligation to inform the data subject enhanced as they will also have to inform the data subjects about: the envisaged retention period of the personal data, their right to withdraw their consent at any moment and their right to lodge a complaint. The GDPR specifically requires that the information is provided to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
- The shape of export restrictions under the GDPR remains similar as before, with some streamlining.
- Data processors now have direct obligations under the GDPR and can be liable to fines from Supervisory Authorities and to claims from data subjects.
- Consent is subject to additional conditions under the GDPR. The GDPR requires the data subject to signal agreement by “a statement or a clear affirmative action”. Consent must also be separable from other written agreements, clearly presented and as easily revoked as given. The GDPR also introduces restrictions on the ability of children to consent to data processing without parental authorization.
There will be a substantial increase in fines for organisations that do not comply with the new regulation. The maximum fines for non-compliance are the higher of €20m and 4% of the organisation’s worldwide turnover.
If data processors breach their direct obligations they can be fined by the Supervisory Authorities and held jointly liable with the data controller for the entirety of any damage to a data subject, unless they can prove they were not in any way responsible for the event giving rise to the damage.
New requirements regarding the processing of personal data
- Step 1: inventory of the current processing of personal data
- Step 2: awareness of the provisions of the GDPR
- Step 3: identify areas of improvement
Implementing the required changes arising from the application of the GDPR
As a first step in your preparation for the GDPR, the current organisation should be reviewed and evaluated. We recommend you to appoint a working group to carry out an inventory of the processing of personal data. The inventory should be fully documented.
Among other things, the following issues should be examined:
- What kind of personal data is processed?
- Is any personal data regarding children processed, i.e. people under the age of 16?
- What is the ground for the processing of personal data (such as consent)?
- How is the consent obtained?
- What kind of system is handling the personal data?
- How is the data collected?
- For how long is the data kept before it is deleted
- Is the personal data exported? Inside and/or outside the EU? Review and map your data flows.
- Do you have any data protection policies?
- What information is given to the data subject?
Once the data mapping exercise is complete, each organisation will need to assess its current level of compliance with the requirements of the GDPR. Gaps will need to be identified and remedial actions prioritised and implemented.
You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have and identify areas that could cause compliance problems under the GDPR.
The GDPR places greater emphasis on the documentation that data controllers must keep to demonstrate their accountability. Compliance with the GDPR will require organisations to review their approach to governance and how they manage data protection as a corporate issue. One aspect of this might be to review the contracts and other arrangements you have in place when sharing data with other organisations.
When your current routines of the processing of personal data has been evaluated and you have a better understanding of the GDPR it is important to identify the areas and routines that need to change in order to comply with the GDPR.
When the preparatory measures are completed the implementation phase begins. The company’s systems, routines and policies regarding the processing of personal data need to be updated before 25 May 2018. If your organisation needs assistance with analysing and implementing changes arising from the application of the GDPR please do not hesitate to contact us.