Four months before the General Data Protection Regulation ( GDPR ) comes into force, the EU Commission released a communication to the EU Parliament and Council on GDPR direct application , highlighting the innovations and opportunities of the new legal system, the measures already taken by the involved parties and the further steps to be taken in the near future.
The new European Commission GDPR direct application document is therefore a combination of GDPR recap and future action.
Innovations and opportunities arising from the GDPR
The new Regulation, which replaces and modernises the previous EU Directive, aims in a harmonised data protection system towards a European digital single market. The same unified rules will also apply to all companies operating in the EU, even if they are based outside the territory.
Moreover, the Regulation strengthens the position of the individuals by providing them with the rights of information, access, erasure and by requiring an affirmative action as valid consent contrary to the previous silence or inactivity. Individuals are granted a new right to data portability allowing them to request organisations to receive back their personal data and consequently enhancing the flow of data between companies.
In case of a data breach, that is likely to pose risk to the rights and freedoms of the data subject, the data processor has a clear obligation to notify the supervisory authority within 72 hours. Under specific circumstances the individual concerned is bound to be notified about the personal data breach.
Infringement of the data protection rules may incur fines imposed by the data protection authorities amounting up to 20 million euros or 4% of the company’s worldwide annual turnover.
The accountability principle implemented through scalable obligations depending on risk rules out ambiguous responsibility rules. The new tool of Data Protection Impact Assessment (DPIA) contributes significantly to the assessment of the risk.
According to the new data protection rules, the Commission is responsible for the data adequacy decisions in order for data transfers to be permitted outside the EU.
Measures undertaken in light of the GDPR
The successful implementation of the new data protection rules necessitates the cooperation of the Commission, the member states, the data protection authorities, the businesses and organisations as well as the individuals.
The EU Commission has been supporting the member states and authorities through setting up an expert group and bilateral meetings in order to ensure high level of consistency. Furthermore, it engages actively with key trading countries outside the EU with a view to achieve bilateral adequacy decisions and ensure free data flow. The Commission engages also with stakeholders by organising events and sectorial discussions and by developing tools for increasing awareness and comprehension.
The Article 29 Working Party, which is going to be transitioned to the European Data Protection Board, has released various guidelines clarifying the new principles and rules aiming to legal certainty and coherence. However, the final interpretation and application of the new provisions vest with the national and EU courts.
Steps remaining by the Member States, data protection authorities and businesses
Although the Regulation is directly applicable and no national law is required to incorporate it, the member states need to align and amend their laws in accordance to the new principles. Up to this date only Germany and Austria have adopted the national legislation, while the remaining states intend to adopt it by May 2018. The Commission further clearly points out that, «when adapting their national legislation, Member States have to take into account the fact that any national measures which would have the result of creating an obstacle to the direct applicability of the Regulation and of jeopardising its simultaneous and uniform application in the whole of the EU are contrary to the Treaties.»
The Member States are also required to establish strictly independent data protection authorities that will have a fundamental role in raising awareness, educating controllers and processors but also ensuring the implementation of the Regulation by imposing fines.
The main impact of the GDPR provisions is seen on the businesses whose core activity is data processing and/ or dealing with sensitive data. In these cases, the appointment of a data protection officer and the DPIA will probably be necessary.
The Commission urges businesses to view the upcoming Regulation as an opportunity to identify the nature of the data they process and the way of their management, reevaluate their relation with the data protection authorities based on accountability and proactive compliance and develop a new relationship with their customers by providing privacy friendly products.