The draft contains many of the key elements which we have already flagged in the past. Overall, the legislation is straightforward, accessible and reflects concerns regarding the increasing threat of intrusion into the private lives of EU citizens.
The GDPR sets out to give EU citizens more control over their personal data and to provide greater protection to their right to privacy. It aims to achieve this by:
− Placing EU-wide requirements on organisations which control and/or process personal data.
− Granting national authorities the power to impose clearly defined sanctions, including significant fines, on organisations which fail to meet the requirements set out in the Regulation.
The following are what we at Sytorus believe are the key improvements for Data Protection compliance contained within the GDPR (in no order of priority):
While the Data Controller is still primarily responsible for compliance, the Data Processor can be held equally liable in some circumstances;
2. Privacy by Design
Data Controllers are required to consider the privacy implications of any substantial change to data processing, and to build privacy into their solutions;
3. Privacy Impact Assessments
The Regulation introduces an obligation to conduct risk-based assessment of projects to ensure that any processing of personal data anticipates and mitigates risks;
4. Increased Fines
Data Controllers and Data Processors prosecuted for being in breach of the legislation face fines of up to 4% of annual turnover – details on these penalties still need to fully defined;
5. Data Protection Officers
Organisations which meet defined criteria will be obliged to appoint a DPO as the ‘go-to’ person within the organisation with responsibility for DP compliance;
6. Data Portability
Data Subjects should be able to move their data freely and efficiently from one organisation to another, e.g. when changing service providers, etc.;
7. Age of Consent
Data Controllers processing the personal data of children (those under the age of 16) will have to prove parental consent before processing. Individual EU Member States may however individually lower the age requiring parental consent to at least 13 years old;
8. Nominated Representative
Organisations based outside the EU must have a representative based in any jurisdiction in which they operate or in which they process the personal data of EU citizens;
9. "One-Stop Shop"
Since there will be one Regulation in effect across the 28 member states of the EU, Data Controllers will be able to identify a single jurisdiction whose supervisory authority (DP Commissioner) will have authority to determine their compliance;
10. The Right to be Forgotten
Unless Data Controllers have a lawful justification for keeping their data, the Data Subject is entitled to demand that their data be removed and no longer processed;
11. Data Breach Notification
Data Controllers must maintain a log of data breach incidents, and must notify the statutory authority within 72 hours of becoming aware of the breach. When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must notify them of the personal data breach to the data subject "without undue delay";
12. Privacy as a Vendor Selection Criterion
The Data Controller should use only Data Processors who can provide sufficient guarantees in terms of their expert knowledge, reliability and sufficient resources to guarantee the security of processing;
13. Clear and Affirmed Consent
The Data Subject must give clear consent to the processing of private data, thus giving individuals more control over the processing of their own personal data. Silence, pre-ticked boxes or inactivity will not constitute consent. Finally the Data Subject will have the right to withdraw his/her consent at any time;
14. Secondary Purposes for processing
Organisations will not be allowed to collect data for one stated purpose and then use it for another;
15. Plain Language
Information about intended processing should be given in clear language before the data is collected. Substantial, overly-technical and inaccessible "small print" privacy policies which confuse data subjects will not be permitted;
The published rationale mentions that, now that the Regulation has been set out, the Statutory Authorities in each EU Member State will soon be assessing DP issues and breaches by looking for evidence of a ‘forward-thinking attitude’. This means that organisations would do well to start putting structures in place as soon as possible which align with the new rules.
The estimated time-line remains in place – that the final text of the legislation will be published by the Parliament by March, 2016, and will come into effect across the 28 EU Member States two years later, in early 2018.
Sytorus continues to work with our clients to help them to prepare for the new Regulations. For many, this will include organisational, system and procedural changes, as well as staff training.
For some, who were already struggling with compliance under the ‘old’ legislation, this will be a slightly sharper hill to climb, but we have two years!!
We look forward to working with you and your colleagues in the New Year as we continue this journey. In the meantime, have a peaceful, restful and cyber-secure Christmas!