Living in a data-driven world where almost every aspect of our lives revolves around and involves the collection, processing and retention of data, the 1995 Directive struggled to keep up with the hasty technological developments.
This is why in 2012, the European Commission published legislative proposals for data protection reform across the European Union, with the aim of making Europe ‘fit for the digital age’.
At the core of this legislative reform is the introduction of the General Data Protection Regulation (‘the GDPR’) designed to:
Key Changes introduced by GDPR
The GDPR applies to two types of data handlers – Data Controllers and Data Processors.
A Data Subject is any directly or indirectly identifiable individual whose personal data is collected, processed, handled and stored by the data handlers e.g. job applicants, employees, customers and website users.
A Data Controller is a natural or legal person who, alone or jointly, determines the purposes, the means and the way personal data is processed.
A Data Processor is a separate natural or legal person engaged by the Data Controller to process personal data on its behalf and on its strict instructions.
Increased Legal Certainty
Having one single law regulating data protection across Europe is instrumental to the riddance of a perplexing situation where Member States distinctly followed their domestic laws, thus enforcing dissimilar obligations and sanctions.
Expansion of the Territorial Scope
While under the 1995 Directive it was somewhat vague as to whether its applicability extended outside of the EU, the Regulation makes it crystal clear that geographic location is not a factor and applies to entities:
- offering goods or services in the EU;
- collecting, processing and storing information belonging to EU citizens/ residents regardless of whether the activity takes place in the EU.
So, if I decide to go on holiday in China and stay in a hotel, since the hotel is processing data relating to an EU data subject it is still bound to safeguard my data, my rights.
More Severe Sanctions
Under the Directive fines varied from one jurisdiction to another. For instance, fines under the old Data Protection Act (Chapter 440 of the Laws of Malta) did not exceed €23,000.
Under the new Regulation, the Office of the Information and Data Protection Commissioner (‘IDPC’) can impose administrative fines starting from €10M or 2% of the global annual turnover and which may be increase to a maximum of €20M or 4% of the global annual turnover depending on the seriousness of the breach.
IMPOSING THE APPROPRIATE PENALTY IS NOT STRAIGHT-FORWARD!
BUT the following must be taken into consideration:
- The nature, gravity and duration of the breach;
- The intentional or negligent character of the breach;
- Any action taken to mitigate the damage suffered by the data subjects;
- The degree of responsibility;
- Any previous violations.
Evidence Compliance – Besides adopting adequate technical and security measures, Controllers are responsible to document the measures implemented, their effectiveness & how they are reviewed and updated.
Be Transparent – Controllers have an inherent duty to inform data subjects of their rights & how their personal data is collected, used and retained, in a simple and concise manner.
Appoint a Data Protection Officer (‘DPO’) – To assist in the compliance journey, public entities are mandatorily (legally) required to appoint a DPO. The DPO is responsible to conduct regular checks and assessments, foster a data protection culture and act as a bridge between the entity, the data subjects and the regulatory authority.
Monitor Processors – Controllers must conduct detailed due diligence in order to ensure that data processors offer sufficient guarantees (i.e. security controls) in line with the requirements of the GDPR.
Onus of Liability
While Controllers acted as a kind of defence for Data Processors under the 1995 Directive, data subjects may, under the new Regulation, take direct action against Processors and claim damages for a material or immaterial damage.
Under the Directive such notification was only mandatory for the electronic communications sector.
NOW every organisation collecting, processing and/or storing data is obliged to report data breaches to the Supervisory Authority within 72 hours, including weekends and public holidays. Failure to do so within the time limited and should data subjects suffer a high risk, the liability of the Controller would be much higher since this is an obligation mandated by the law.
Privacy by Design & by Default
From the very start, before purchasing a new system, initiate a new process or open a new service line, Controllers must ensure that data privacy is catered for.
Controllers must ensure that:
- the data minimisation principle is applied – only data which is necessarily required should be collected. Hence, collecting data for future use is no longer the excuse;
- the processing is limited to the purpose for which the data was collected (purpose limitation);
- the data is protected via encryption, anonymisation, strong passwords, backups. However, this is not a 100% full proof system;
- prior assessments are carried out when the processing involves data which may result in risks to the data subjects;
- the data is only accessed by authorised personnel on a need-to-know basis; and
- the processing activities are recorded.
Simplified Consent Structure
Consent must be:
- Freely given
- Positive opt-in
The right to withdraw consent must be as EASY as it is to give consent!
While the obligation to store personal information for a period no longer than is necessary was already prescribed under the 1995 Directive, the GDPR requires Controllers to specify the period for which the personal data will be stored, or the criteria used to determine such period.
EXCEPTION - data stored in the public interest for archiving, statistics, scientific and historical research could be retained indefinitely.
Albeit the Directive already catered for certain rights (the right to be informed, the right of access, the right to rectification, the right to restriction of processing, the right to object and the right not to be subjected to automated decision-making) the main objective behind the Regulation was to give citizens more control over their personal data.
The GDPR introduced the following additional rights:
- the Right to Erasure (also known as the Right to be Forgotten);
- the Right to Data Portability.
The above rights are NOT ABSOLUTE and must generally be responded to within 1 month.
Overall, it can be concluded that there is no one size fits all GDPR approach, but businesses should implement comprehensive and proportionate measures to uphold data privacy as well as minimise the risk of breaches.
“The digital future of Europe can only be built on trust. With solid common standards for data protection, people can ensure they are in control of their personal information” by Andrus Ansip.