GDPR Summary: here is how new EU rules will affect data
The General Data Protection Regulation (GDPR) is a new set of European legislation designed to reform and harmonise the rules on individuals’ personal data. Ratified by the European Parliament on April 2016, it will enter into force on 2018. Its impact is considerable, and for this reason we prepared a GDPR Summary that will help company’s to start assessing their strongest and weakest spots in their privacy policy.
Who will the be affected by the GDPR?
The GDPR refers to personal data of EU nationals, and therefore applies to all organisations (European or not) offering good or services to data subjects in the EU.
Due to the large number of changes introduced by the GDPR, companies will have to seek compliance with the new regulation before it enters into force on January 2018.
What is personal data?
GDPR defines personal data as any information that makes a person identifiable, directly or indirectly. Names, location data or identification numbers concur to a person identification.
What are the fines for non compliance?
Fines are severe and they amount to 4% of a company’s annual turnover or 20 million Euros, the greater figure applies. A data controller must notify a data breach to the competent authority within 72 hours; the breach must be also notified to the data subjects if it is likely to affect their fundamental freedoms. A data processor must notify the breach to the controller but otherwise has no other notification or reporting obligations.
Data Protection Officers: how will they operate?
A new professional role- the Data Protection Officer (DPO)- is introduced by the GDPR to ensure that compliance is granted throughout all company’s activities. Data Protection Officers will certainly be mandatory for companies that deal with Marketing Services or Research, and generally for companies whose core activities involve sensitive data or “regular and systematic monitoring of data subjects on a large scale”. DPO will also be a key figure to provide gap analysis and a compliance strategy to most businesses that need to adjust to the new rules.
Companies: data controllers and data processors
The Regulation introduces new obligations upon data processors, and requires data controller to engage only with processors capable of providing sufficient safeguards to their data. This relationships must be documented by contracts mandating specific privacy standards.
The GDPR lists some of the measures that concur to adequate protection standards, such as confidentiality, pseudonymisation, code of conducts and adequate safety tests.
Privacy by design
New administrative requirements such as record-keeping, organisational adjustments and breach notification systems are also introduced. Data protection safeguards should stem directly from a company’s products or services- the so called Privacy by Design.
Consent
The GDPR is designed to enable individuals to have better control of their personal data. According to the Regulation consent means “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed”. The GDPR does not necessarily require explicit or written consent as long as the indication of will is given with all the conditions above. However, a company should always be able to demonstrate that consent has been obtained. A person has a right to withdraw his or her consent as freely and easily as it was granted.
Legitimate interest of a Company
Like consent, legitimate interest is one of the grounds that allow a company to lawfully process or control personal data. A company has a legitimate interest in processing data if that interest is linked to actions that are strictly necessary for the purposes of that same company. The legitimate interest of a company could be, in certain specific cases, overridden by “the interests of fundamental freedoms” of the data subject. According to the GDPR, ‘direct marketing’ purposes can form a legitimate interests of a company.
Conclusion: smart compliance
In this GDPR summary we highlighted how a company should face the organisational changes required by the new Regulation. A strong focus on consent and on a business’ legitimate interests will allow a company to lawfully collect personal data. In this fashion, a business will be ready to fully benefit from the harmonisation of data policies brought by the GDPR.
Need help adapting? You can subscribe to our DPO service at http://aphaia.co.uk/data-protection-officer-outsourcing/
