November 2017 - References to European General Data Protection Regulation (the „GDPR”) seems to be spread around very widely. In our article, we provide a short and handy guide on the key takeaways of the GDPR, which represents the new-coming EU-wide data protection framework, enforceable from 25 May 2018.
(i) Personal Data – that is, any information relating to an identified or identifiable natural person, for example a birth identification number, working e-mail, picture of a person or medical records. Under GDPR the concept of “sensitive personal data” is expanded and now includes genetic and biometric data.
(ii) Data Controller - this is a person who determines the purposes for which, and the way in which, the personal data is processed. For example, when Company A collects data from its employees to have records on file about them, it acts as a data controller.
(iii) A “Data Processor”, another key term in the GDPR, is anyone who processes personal data on behalf of the data controller. Therefore, if Company A sends data about its customers (or representatives of its customers), for direct marketing purposes, the marketing provider acts as a processor. Also, any affiliate of Company A can be classified as a data processor when, for example, it works with the data under the instructions of Company A.
We, at Kinstellar, have singled out the following key takeaways of the new rules:
1. Extraterritorial reach. The GDPR applies to:
(a) businesses established in the European Union;
(b) businesses established outside the European Union, if they offer goods and services to, or monitor, data subjects in the European Union; or
(c) businesses established outside the European Union based on a private international law.
2. Data Subject Rights. The GDPR further stipulates or strengthens certain rights of individuals (data subjects), for example, those that have been formulated through the courts and supervisory authorities. The GDPR introduces also new rights of individuals (data subjects), for example he right of an individual to have his/her complete history deleted (the “right to be forgotten”) and the right to transfer the data (the “right to data portability”). Internal policies of companies shall be reviewed to duly address the new-coming rights of data subjects.
3. Consent. The basic concept of an individual’s consent with data processing as one of the legal grounds for processing personal data remains the same. However, the GDPR introduces more requirements for a consent to be valid; therefore, it will be harder to obtain valid consent under the GDPR. On the other hand, there are other (and often safer) legal grounds for processing personal data, other than consent. Form of consents used, however, more than that, shall be revisited by companies.
4. Data Security. The GDPR requires data processors to adopt appropriate technical and organisational measures to protect personal data. Certain enhanced measures, such as encryption, pseudonymisation, the ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident as well as regular testing of effectiveness are required “where appropriate”. IT audit (in addition to legal audit) will be often recommended and may involve a need to purchase a better security software.
5. Data Breaches Notification. The data controller must notify the supervisory authority of data breaches and, in some cases, the data subjects as well. Adoption of strict internal guidelines and sufficient trainings will be needed from next year.
6. Data Protection Officer. Depending on the kind of personal data processes, data processors may be required to appoint a data protection officer, i.e. a person with adequate professional qualities and expertise in data protection law. The data protection officer must be involved in all data protection issues and must, to a large extent, be independent, i.e. they must report directly to the highest management and may not be dismissed or penalised for performance of their role. Companies to review their obligation in this regard and adopt well advised decision on election or non election of officer(s).
7. Data Processors. Newly, certain obligations under the GDPR also apply to data processors. New obligations imposed on data processors will need to be included in data processing agreements between the data controller and data processor. Companies cooperating with other businesses (eg distribution channels, insurance companies, etc.) to re-visit their eventual exposure for breach by their partners, and, consider mitigating these risks (e.g. renegotiation on clauses in contract on limitation of damages, purchasing additional insurance coverage etc.).
8. Sanctions. The GDPR introduces significantly higher sanctions, which can be as much as 4% of annual worldwide turnover or EUR 20 million (for the most serious violations of the GDPR). Commencing early legal and IT audit could prevent, or at least mitigate, the severe sanctions.