On May 25th new rules come in to ensure that people’s data is protected: The new regulation GDPR replaces the Data Protection Directive. Although the key principles to data privacy still hold true to the previous directive, there are changes to the regulations.
Increased Scope across Territories: The rules now apply to the processing of personal data of anyone who lives in the EU (The UK have made it clear that Brexit will not affect this). GDPR applies to the processing of personal data by controllers or processors in all of the EU even if the person does not live in the EU, or to personal data of anyone who lives in the EU even if the processing or the company doing the processing is based outside the EU, when activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non EU businesses processing data of EU citizens will have to appoint an EU representative.
Penalties: Under GDPR organisations in breach can be fined up to 4% of annual global turnover or E20million (whichever is greater). It is important to note that these rules and fines can apply to both controllers and processors – meaning clouds will not be exempt.
Consent: The conditions for consent have been strengthened and companies will no longer be able to use long illegible terms and conditions full of legalese, as the requirement for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent. Consent must be clear and distinguishable from other matters and provided in an intelligible and easily accessible form using clear and plain language. It must also be as easy to withdraw consent as it is to give it.
Breach: Under the GDPR, breach notification will be mandatory in all member states where a breach is likely to result in a risk for the rights and freedoms of individuals. This must be done within 72 hours of first having been aware of a breach. Data processors will also be required to notify customers (the controllers) without any undue delay of first being aware of a data breach.
Access: Part of the expanded rights of data subjects outlined by GDPR is the right for data subjects to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose. Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format. This change is a dramatic shift to data transparency and empowerment of data subjects.
Right to be Forgotten: Also known as data erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt the processing of the data. The conditions for erasure include the data no longer being relevant to the original purpose for processing, or a data subject withdrawing consent. It should also be noted that this right requires controllers to compare the subjects rights to the public interest in the availability of the data when considering such requests.
Portability: GDPR introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a commonly use and machine readable format and have the right to transmit that data to another controller.
Privacy by Design: This is a concept that has existed for years, but is now only becoming part of legal requirements. At its core privacy by design calls for the inclusion of datad protection from the onset of the design of new systems, rather than an addition.
This new addition also calls for the controllers to hold, process only data absolutely necessary for the completion of duties (data minimisation) as well as limiting the access to personal data to those who need it for the processing.
Data Protection Officers: Currently controllers are required to notify data processing activities with local DPA, which can be a bureaucratic nightmare with many member states having different notification requirements. Under GDPR it will not be necessary to submit notifications. Instead there will be internal record keeping, and the DPO appointment will be mandatory only for those whose core activities consist of processing operations.