The new General Data Protection Regulation (GDPR), which will apply from May 2018 onwards, is set to bring significant changes to the way companies process personal data. Various provisions in the GDPR reflect principles which already existed in the EU Directive 95/46/CE on personal data processing (for example, the principles of lawfulness, fairness and transparency of data processing).
However, the GDPR also brings significant changes to the legal framework for privacy in the EU, all of which are aimed at clarifying data subject rights and bringing uniformity to the terms in which data privacy rules are implemented throughout the EU. For example, not only is the territorial scope of the GDPR broader than the EU Directive (non-EU-based companies are impacted, when processing EU citizens data), but new data subject rights are formalized (such as the right to portability and the right to be forgotten).
Significantly, data processors, which up to now were not directly liable for their actions in what concerns data processing, now become directly responsible for the data processing carried out on behalf of controllers and must comply with various obligations arising directly from the GDPR. This means that, for example, – including, for example, providers of cloud services and providers of back-office services (such as invoice and billing management, app/digital environments creation, software set up and server maintenance).
Among other changes, penalties for noncompliance may now reach a maximum 20 million Euros or 4% of the total global annual turnover for the preceding financial year, whichever is highest.
Under the GDPR, companies will essentially process data under a self-accountability principle and a more demanding level of involvement is required from the various internal structures, in order to avoid substantial financial penalties. Among other major adjustments, under the GDPR, companies should:
-
Carry out Privacy Impact Assessments (PIAs), which become mandatory in some cases;
-
Keep adequate registries proving compliance with their obligations, including proof of data subject consent and information;
-
Notify data breaches to the relevant data protection authority and, in certain circumstances, to the data subjects;
-
Implement “Privacy by Design” and “Privacy by Default” principles;
-
Appoint a Data Protection Officer (mandatory action when the controller or processor’s plans include the regular and systematic monitoring of data subjects or the processing of sensitive personal data on a large scale);
-
Implement adequate data minimisation and security techniques, such as data encryption, pseudonymisation, and others, as deemed adequate and appropriate.
In practice, the GDPR will require companies (both controllers and processors) to be more directly and intensely involved with data processing, as the GDPR sets additional obligations for companies processing data, subject to a case-by-case approach to data processing – meaning, companies should carry out different privacy impact analysis and implement different measures, considering the various implications and possible consequences and impacts of personal data processing).
On the other hand, data protection authorities are likely to have a more active role in carrying out monitoring actions, since controllers will no longer have to either notify or obtain authorization for the processing of personal data. As a consequence, data protection authorities are expected to have more time and personnel resources aimed at ensuring monitoring compliance and enforcing the GDPR.
The Article 29 Working Party has issued some guidance on the GDPR and local DPAs have also issued decisions on the interpretation of the GDPR; more may follow until May 2018.
Any such guidances are likely to be of use for companies on their path to GDPR compliance. One thing is certain: post-GDPR, data processing will necessarily and inevitably be at the top of the priority list for companies.
About the Authors:
Isabel Ornelas – Isabel Joined VdA in 2006 and is currently senior associate integrated into the TMT – Telecoms, Media & TIs practice group. She works in the field of privacy and data protection, having taken an active role in several privacy compliance audits in various sectors, in the set-up of privacy policies and ethics lines, as well as project-oriented legal counseling in various operations and market products/services. She also organizes training sessions and workshops and lectures at the Post-Graduate course in Compliance at the Institute of Banking Management.
Sebastião Barros Vale – Sebastião joined Vieira de Almeida & Associados in 2016. He is a Trainee at the area of Telecoms and Media. In this capacity, he has been actively involved in several transactions and projects in Portugal and abroad, including privacy compliance programs in various sectors (particularly the health sector, banking and finance and telecommunications), including in the context of international data transfers.
To-dos:
– Check your company’s data protection policy and compliance with the new EU GDPR.
– Count on us for your document management projects and keep your company’s and your customer’s information assets secure, protected and compliant.
– Don’t miss our infographic “Is your client onboarding process compliant with the new EU General Data Protection Regulation?” with everything you need to know to ensure compliance with the new EU GDPR.
– Read our blog article “Customer data protection: how to eliminate risks of loss or exposure” to know more about data security breaches, best practices for customer data protection as a corporate-wide approach, and guidelines to really ensure customer data protection and compliance.
– Subscribe to our blog to receive valuable insights about document management and paper-free processes.
– Download our ebook “Paper at the gates: Driving digital revolution with modern capture” and learn how data capture is the gateway for inbound and outbound content and the starting line where digital transformation initiatives begin.