When it comes to data processing, European citizens will have extended rights from May 2018. At the same time, organisations which operate in the continent will have more obligations to fulfil.
The General Data Protection Regulation came into effect on 25th May 2016. From then on, any entity in Europe has to adapt their infrastructure to the new law in two years. Otherwise, from 25 May 2018, they can be penalised.
Penalties and fines will be heavy. There are fines of a maximum of €20 Million or up to 4% of the annual turnover of a company which does not comply with the legal requirements.
The Gartner firm affirms that more than 50% of organisations which operate in Europe won’t adapt their infrastructure to the new law for the 25th May 2018.
However, all residents in the European Union will have new rights when it comes to data processing. Let’s see the 5 essential keys of the new General Data Protection Regulation.
1. What is the purpose of the GDPR?
Simplify and unify the right to data protection of European citizens. Moreover, the law provides more protection coverage to people, as before the new GDPR, every country had their own rules about data processing.
Citizens will have full ability to make decisions and take action over their data, while companies and entities (which are running in Europe) won’t have problems with regulators of every country when processing data of their clients across Europe. Another benefit for companies is that they will take advantage of selling in a single digital market.
2. Who is affected by this law?
The GDPR affects any organisation, state or institution that processes data of European residents. Also, the law affects any of those who are not based in the European Union, but they process data of European residents. International organisations with European clients or users must assign a data officer, who should be based in the European Union.
3. The right to be forgotten
This right started with a jurisprudence of the Court of Justice of the European Union on 13th May 2014. That day, the justice determined that the Spaniard, Mario Costeja, was right when he asked to delete a piece of information that damaged his image and was published by La Vanguardia.
The court highlighted that any digital media and search engines like Google are data processors, so, as long as deleting the information does not violate the freedom of expression of the publisher, European residents can apply for removal of information that affects their privacy and honour.
The GDPR is conceived to provide more guarantees to European citizens. So, the right to be forgotten is in this regulatory framework.
4. The right of data portability
From the implementation date, 25th May 2018, entities must provide personal data to their clients and users who ask for it. European residents will be allowed to transfer this data to another organisation without any obstacle. The flow of information will be easier among entities, which also promotes changing service providers and competition inside the European market.
However, this right concerns to any data provided by users, and also generated by their activities. For example, the data gathered when a user visits and buys something online.
For these reasons, those who are in charge of data processing should adapt their infrastructure to this law as they must be ready to respond to portability of data requests. For example, entities can create applications for users who want to download their data and transfer it to another organisation.
5. Active responsibility and the consent of data
With the new GDPR, entities will have an active role in data processing. Tacit consent to gather information from users and clients won’t be allowed anymore. In a few months, European residents must know if an organisation is going to collect their data. So, on the Internet, users will start to check a box to give consent for this purpose. Saying nothing or unticked boxes won’t be valid with the new regulation.
If organisations gather users and clients data for various purposes, they should request consent for each purpose. So, any request of personal data needs to be explicit and concise. One of the objectives of the European general data protection regulation is to avoid organisations causing damage which is hard to repair for European users.
When it comes to metadata, we talked about how easy it is to violate citizens privacy through data gathered with tacit consent. This violation is considered a damage “hard to repair” for regulators of this legal framework.
6. The one-stop shop [Bonus extra]
Each state will have their independent Supervisory Authority (SA) where citizens can claim and report complaints about data processing. So, each SA will investigate if complaints are local or transnational. In case there are discrepancies among SA and the party concerned, the competent authority would be the European Committee for privacy protection.
In summary, European citizens will regain control over this personal information with places like a one-stop shop. Nowadays this is good news, as most people handle a large quantity of data through their devices.
May 25th is already here [Update 01/31/18]
When the GDPR was put into effect on 25th May 2016, 2 years seemed to be enough away to apply the new regulation. However, 4 months before its enforcement in a permanent and mandatory manner, the fact is 92% of European companies will not be adjusted to the new regulation according to a study conducted by RSM.
What should companies do to be prepared?
From the moment the GDPR enters into force, organisations may need to perform a Data Protection Impact Assessment (DPIA). The DPIA is an instrument to map the privacy risks of obtaining and processing personal data that is done in advance of these processes in order to take the necessary measures to reduce the risks.
Companies must execute a DPIA for any use of data that involves a high risk of privacy for those interested, especially in these cases:
- Systematic and exhaustive evaluation of personal aspects of natural persons that is based on an automated use of data, such as profiling;
- processing of special personal data (specially protected categories) on a large scale;
- monitoring of people in a massive and systematic way in a public access area (for example, with surveillance cameras).
Although it is not necessary to carry out the DPIA with internal resources, it is necessary to ensure that the evaluation is carried out. In addition, if a Data Protection Delegate (DPD) has been assigned within the organization, he or she should be in charge of this task.
But we must take into consideration that if the DPIA determines there is a high risk of infringing the freedom rights of the interested parties and the necessary measures are not implemented to mitigate this, the supervising entity should be consulted before starting the use of data. That same entity will review the analysis and may respond with recommendations, request more information or prohibit the use of data.
What are the consequences of breaking the GDPR?
Companies that do not comply with the GDPR guidelines take the risk of getting fines from May 25, 2018.
This new legislation takes into account the overall annual total business volume of the company’s previous financial year. Thus, in the case of minor infractions, the sanction can reach 2% of it, and in the case of the most serious infractions, the figure goes up to 4%.
However, in case a company violates this law, it will face two possible types of fines: the first group of up to 10 million euros and a second group of 20 million euros for the most serious infractions.
When a breach of data security occurs, the responsible party must notify the competent data protection authority, unless it is unlikely that the violation would suppose a risk to the rights and freedoms of those affected.
The notification of bankruptcy to the authorities must occur without undue delay and, if possible, within 72 hours after the person in charge has proof of it.
The notification must include the following at a bare minimum:
- The nature of the violation.
- Data categories and affected stakeholders.
- Measures taken by the person responsible to solve the bankruptcy.
- If applicable, the measures applied to mitigate the possible negative effects on the interested parties.
We hope that this brief description of points to take into account for the official and final implementation of the GDPR, will help companies that have not yet established an adaptation process to this new regulation.
For any doubt or query do not hesitate to contact us and we will advise you personally.