The following article is an overview of the main changes under GDPR and how it differs from the previous 1995 directive.
The aim of the GDPR is to protect all EU citizens from privacy breaches in the context of the modern, data-driven world. The data landscape is a vastly different place from the time in which the 1995 directive was created. Although the main principles of data privacy are still true to the ’95 directive, a number of significant changes have been made. The key changes in the GDPR and the impacts it will have on your organisation, can be found below.
Territorial Scope Increased
Possibly, the biggest change to data privacy regulation is the extended jurisdiction of the GDPR. It applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location. Previously, territorial scope of the directive was less clear and referred to data process ‘in context of an establishment’ and this topic was the subject of a number of high profile court cases. The GPDR is much clearer. It applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR also applies to the processing of personal data of data subjects in the EU by a controller or processor not in the EU, where the activities relate to: offering goods or services to EU citizens. This is the case irrespective of whether payment is required. It also covers the monitoring of behaviour that takes place within the EU. Non-EU businesses processing the data of EU citizens will also need to appoint a representative in the EU.
Organisations in breach of GDPR can be fined up to 4% of annual global turnover or 20 Million Euros, whichever is greater. These are the maximum fines that can be enforced for the most serious breaches such as not having sufficient customer consent to process data or violating the core of Privacy by Design concepts. The fine structure is tiered, so a company can be fined 2% of turnover or 10 Million Euro for not having their records in order (article 28) or failing to notify the supervising authority and data subject about a breach. This now applies to both controllers and processors so cloud services will not be exempt from GDPR enforcement.
What constitutes consent has been strengthened. Organisations will no longer be able to hide behind unclear terms, legalese or consent-by-default as a basis for consent. The request for consent must now be given in simple, readable terms, with the purpose for data processing also made clear. It must also be as easy to withdraw consent as it is to give it.
Breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. It must be done within 72 hours of first becoming aware of the breach. Data processors will now be required to notify the controllers, “without undue delay”.
Right to Access
Data subjects have the right to find out, from the data controller, whether personal data concerning them is being processed, where it is processed and for what purpose. Also, the controller will need to provide a copy of the personal data, free of charge, in an electronic format. This is a significant change to data transparency and the empowerment of data subjects.
The Right to be Forgotten
The Right to Data Erasure, sometimes referred to as the right to be forgotten, is new in GDPR and entitles the data subject to have his/her personal data erased under certain circumstances. The conditions for erasure are outlined in article 17 and include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent (if that is the basis on which the data is being held). This right cannot be enforced if it is against the public interest or there is a legitimate, legal or contractual reason why it needs to be retained.
Data portability is new in the GDPR. It did not exist in the ’95 Directive. It details the right for a data subject to receive the personal data concerning them, if it is used in an automated system and was provided by the data subject in the first place. It must be provided in a commonly use and machine-readable format so it can be transmitted to another data controller.
Privacy by Design
The idea of Privacy by design has existed for a while now, but it is now a legal requirement with the GDPR. The concept of privacy by design calls for the consideration of data protection in initial system design, rather than as an afterthought. The GDPR requires that appropriate technical and organisational measures are applied in an effective way. Article 23 calls for controllers to hold and process only the data absolutely necessary for the completion of its duties (data minimisation), as well as limiting the access to personal data to those needing to carry out processing.
Data Protection Officers
Under the old regulation, data controllers are required to notify their data processing activities with local Supervisory Authorities. For multinational organisations, this can be a bureaucratic nightmare with most Member States having different notification requirements. Under GDPR it will not be necessary to submit notifications in this way, nor will it be a requirement to notify or obtain approval for transfers based on the Model Contract Clauses (MCCs). Instead, there are internal record keeping requirements (see below) and DPO appointment will be necessary only for those controllers and processors whose main activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences. The DPO:-
- Should be appointed based on professional qualities and expert knowledge of data protection law and practices.
- Can be a staff member or an external service provider
- Contact details must be provided to the relevant Supervisory Authorities.
- Must be provided with appropriate resources to carry out their tasks and maintain their expert knowledge
- Must report directly to the highest level of management
- Must not carry out any other tasks that could results in a conflict of interest.
If you would like to find out more about how the GDPR might affect your business or organisation, please feel free to get in touch with CIS via our website www.construct-is.co.uk