Are you GDPR Ready? Everything you need to know!

Liv­ing in a data-dri­ven world where almost every aspect of our lives revolves around and involves the col­lec­tion, pro­cess­ing and reten­tion of data, the 1995 Direc­tive strug­gled to keep up with the hasty tech­no­log­i­cal devel­op­ments.  

This is why in 2012, the Euro­pean Com­mis­sion pub­lished leg­isla­tive pro­pos­als for data pro­tec­tion reform across the Euro­pean Union, with the aim of mak­ing Europe ‘fit for the dig­i­tal age’ 

At the core of this leg­isla­tive reform is the intro­duc­tion of the Gen­er­al Data Pro­tec­tion Reg­u­la­tion (‘the GDPR’) designed to: 

Key Changes introduced by GDPR

Data Handlers 

The GDPR applies to two types of data han­dlers – Data Con­trollers and Data Proces­sors.  

A Data Sub­ject is any direct­ly or indi­rect­ly iden­ti­fi­able indi­vid­ual whose per­son­al data is col­lect­ed, processed, han­dled and stored by the data han­dlers e.g. job appli­cants, employ­ees, cus­tomers and web­site users. 

A Data Con­troller is a nat­ur­al or legal per­son who, alone or joint­ly, deter­mines the pur­pos­es, the means and the way per­son­al data is processed. 

A Data Proces­sor is a sep­a­rate nat­ur­al or legal per­son engaged by the Data Con­troller to process per­son­al data on its behalf and on its strict instruc­tions.  

Increased Legal Certainty

Hav­ing one sin­gle law reg­u­lat­ing data pro­tec­tion across Europe is instru­men­tal to the rid­dance of a per­plex­ing sit­u­a­tion where Mem­ber States dis­tinct­ly fol­lowed their domes­tic laws, thus enforcing dis­sim­i­lar oblig­a­tions and sanc­tions.   

Expansion of the Territorial Scope

While under the 1995 Direc­tive it was some­what vague as to whether its applic­a­bil­i­ty extend­ed out­side of the EU, the Reg­u­la­tion makes it crys­tal clear that geo­graph­ic loca­tion is not a fac­tor and applies to entities: 

  • offer­ing goods or ser­vices in the EU;  
  • col­lect­ing, pro­cess­ing and stor­ing infor­ma­tion belong­ing to EU cit­i­zens/ res­i­dents regard­less of whether the activ­i­ty takes place in the EU 

So, if I decide to go on hol­i­day in Chi­na and stay in a hotel, since the hotel is pro­cess­ing data relat­ing to an EU data sub­ject it is still bound to safe­guard my data, my rights.  

More Severe Sanctions

Under the Direc­tive fines var­ied from one juris­dic­tion to anoth­er. For instance, fines under the old Data Pro­tec­tion Act (Chap­ter 440 of the Laws of Mal­ta) did not exceed €23,000. 

Under the new Reg­u­la­tion, the Office of the Infor­ma­tion and Data Pro­tec­tion Com­mis­sion­er (‘IDPC’) can impose admin­is­tra­tive fines start­ing from 10M or 2% of the glob­al annu­al turnover and which may be increase to a max­i­mum of 20M or 4% of the glob­al annu­al turnover depend­ing on the seri­ous­ness of the breach. 

IMPOSING THE APPROPRIATE PENALTY IS NOT STRAIGHT-FORWARD 

BUT the fol­low­ing must be taken into con­sid­er­a­tion 

  • The nature, grav­i­ty and dura­tion of the breach; 
  • The inten­tion­al or neg­li­gent char­ac­ter of the breach; 
  • Any action tak­en to mit­i­gate the dam­age suf­fered by the data sub­jects; 
  • The degree of respon­si­bil­i­ty;  
  • Any pre­vi­ous vio­la­tions. 

New Obligations

Evi­dence Com­pli­ance – Besides adopt­ing ade­quate tech­ni­cal and secu­ri­ty mea­sures, Con­trollers are respon­si­ble to doc­u­ment the mea­sures imple­ment­ed, their effec­tive­ness & how they are reviewed and updat­ed.  

Be Trans­par­ent – Con­trollers have an inher­ent duty to inform data sub­jects of their rights & how their per­son­al data is col­lect­ed, used and retained, in a sim­ple and con­cise man­ner.  

Appoint a Data Pro­tec­tion Offi­cer (‘DPO’) – To assist in the com­pli­ance jour­ney, pub­lic enti­ties are manda­to­ri­ly (legal­ly) required to appoint a DPO. The DPO is respon­si­ble to con­duct reg­u­lar checks and assess­ments, fos­ter a data pro­tec­tion cul­ture and act as a bridge between the enti­ty, the data sub­jects and the reg­u­la­to­ry author­i­ty.   

Mon­i­tor Proces­sors Con­trollers must con­duct detailed due dili­gence in order to ensure that data proces­sors offer suf­fi­cient guar­an­tees (i.e. secu­ri­ty con­trols) in line with the require­ments of the GDPR.  

Onus of Liability

While Con­trollers act­ed as a kind of defence for Data Proces­sors under the 1995 Direc­tive, data sub­jects may, under the new Reg­u­la­tion, take direct action against Proces­sors and claim dam­ages for a mate­r­i­al or imma­te­r­i­al dam­age.  

Breach Notification

Under the Direc­tive such noti­fi­ca­tion was only manda­to­ry for the elec­tron­ic com­mu­ni­ca­tions sec­tor.  

NOW every organ­i­sa­tion col­lect­ing, pro­cess­ing and/or stor­ing data is oblig­ed to report data breach­es to the Super­vi­so­ry Author­i­ty with­in 72 hours, includ­ing week­ends and pub­lic hol­i­days. Fail­ure to do so with­in the time lim­it­ed and should data sub­jects suf­fer a high risk, the lia­bil­i­ty of the Con­troller would be much high­er since this is an oblig­a­tion man­dat­ed by the law.   

Privacy by Design & by Default

From the very start, before pur­chas­ing a new sys­tem, ini­ti­ate a new process or open a new ser­vice line, Con­trollers must ensure that data pri­va­cy is catered for.  

Con­trollers must ensure that: 

  1. the data min­imi­sa­tion prin­ci­ple is applied – only data which is nec­es­sar­i­ly required should be col­lect­ed. Hence, col­lect­ing data for future use is no longer the excuse;  
  2. the pro­cess­ing is lim­it­ed to the pur­pose for which the data was col­lect­ed (pur­pose lim­i­ta­tion);
  3. the data is pro­tected via encryp­tion, anonymi­sa­tion, strong pass­words, back­ups. How­ev­er, this is not a 100% full proof sys­tem;
  4. pri­or assess­ments are car­ried out when the pro­cess­ing involves data which may result in risks to the data sub­jects;
  5. the data is only accessed by autho­rised per­son­nel on a need-to-know basis; and
  6. the pro­cess­ing activ­i­ties are record­ed 

Simplified Consent Structure

Con­sent must be: 

  • Freely giv­en 
  • Spe­cif­ic 
  • Pos­i­tive opt-in 
  • Unam­bigu­ous  
  • Informed 
  • Doc­u­ment­ed 

The right to with­draw con­sent must be as EASY as it is to give con­sent! 

Data Retention

While the oblig­a­tion to store per­son­al infor­ma­tion for a peri­od no longer than is nec­es­sary was already pre­scribed under the 1995 Direc­tive, the GDPR requires Con­trollers to spec­i­fy the peri­od for which the per­son­al data will be stored, or the cri­te­ria used to deter­mine such peri­od.  

EXCEPTION - data stored in the pub­lic inter­est for archiv­ing, sta­tis­tics, sci­en­tif­ic and his­tor­i­cal research could be retained indef­i­nite­ly. 

Increased Control

Albeit the Direc­tive already catered for cer­tain rights (the right to be informed, the right of access, the right to rec­ti­fi­ca­tion, the right to restric­tion of pro­cess­ing, the right to object and the right not to be sub­ject­ed to auto­mat­ed deci­sion-mak­ing) the main objec­tive behind the Reg­u­la­tion was to give cit­i­zens more con­trol over their per­son­al data.  

The GDPR intro­duced the fol­low­ing addi­tion­al rights: 

  1. the Right to Era­sure (also known as the Right to be Forgot­ten);   
  2. the Right to Data Porta­bil­i­ty.  

The above rights are NOT ABSOLUTE and must gen­er­al­ly be respond­ed to with­in 1 month 

Conclusion

Over­all, it can be con­clud­ed that there is no one size fits all GDPR approach, but busi­ness­es should imple­ment com­pre­hen­sive and pro­por­tion­ate mea­sures to uphold data pri­va­cy as well as min­imise the risk of breach­es. 

The dig­i­tal future of Europe can only be built on trust. With sol­id com­mon stan­dards for data pro­tec­tion, peo­ple can ensure they are in con­trol of their per­son­al infor­ma­tion by Andrus Ansip. 

About Dr. Yanika Micallef

Dr. Yani­ka Micallef was born on the 10th of June 1995. She obtained her War­rant under the Laws of Mal­ta in 2019 after suc­cess­ful­ly com­plet­ing her Bach­e­lor of Laws (Hon­ours) in 2017 and Mas­ter of Advo­ca­cy in 2018 from the Uni­ver­si­ty of Mal­ta. She suc­cess­ful­ly sub­mit­ted and defend­ed her dis­ser­ta­tion enti­tled ‘The Notion of Excus­abil­i­ty in Error as a Vice of Con­sent’ in 2017.

View All Posts

Leave a Reply

Your email address will not be published.