General Data Protection Regulation (the “GDPR”)
The EU has long been sensitive to the protection of the personal data of individuals and the regulation of the processing of such data. The latest initiative has been the passing of the GDPR which aims at strengthening the framework for the protection of individual personal data. We describe in brief, key important provisions of the GDPR.
The GDPR aims at strengthening the framework for the protection of individual personal data. From 25th May 2018, organisations that process EU residents’ personal data will be required to abide by the provisions of the GDPR or face significant penalties. The GDPR introduces a significant number of changes that will affect virtually all organisations which process personal data.
We briefly describe below, key important provisions of the GDPR.
1. Broader definition of personal data
The definition of ‘personal data’ has been broadened and provides for a wide range of personal identifiers to constitute personal data (e.g. online identifiers such as an IP address). Hence, data which may previously not have been considered as personal data may now be personal data. Organisations will have to ensure that such personal data is also protected as provided by the GDPR.
2. Increased Standard of Consent
The standard which the gaining of consent has to satisfy is higher. The document documenting the data subject’s consent should be laid out in simple terms. Consent must be “by a statement or by a clear affirmative action.” Hence, organisations must review their practices and documentation regarding the obtaining of a client’s consent and amend these accordingly where required.
3. Data Protection Officers
Under Article 35 of the GDPR, the appointment of a Data Protection Officer will be required where the core activities of the organisation involve regular and systematic monitoring of data subjects on a large scale. Businesses must carry out their own assessment to decide whether the processing of personal data is a core activity for them and whether they carry out regular and systemic monitoring of special data on a large scale. If they do, they are obliged to designate a Data Protection Officer and comply with the relevant provisions of the GDPR including about the Data Protection Officer’s tasks and position.
4. Risk based approach and Data Protection Impact Assessments.
A risk-based approach must be adopted before undertaking higher-risk data processing activities. Organisations will be required to conduct privacy impact assessments where privacy breach risks are high, in order to analyse and minimise the risks to their data subjects.
The GDPR requires an organisation subject to the GDPR to show how it complies with the GDPR. This task covers both organizational and technological measures and the organisation must ensure and be able to demonstrate that processing is performed in accordance with the GDPR and review and update these measures where necessary.
6. Data breach notification requirements
Organisations will be required to report data breaches of personal data or sensitive personal data to their data protection authority unless the data breach is unlikely to represent a risk to the rights and freedoms of the data subjects in question. The notice must be made within 72 hours of data organisations becoming aware of the personal data breach. Where the risk to individuals is high, then, subject to several exceptions, the data subjects should be notified without undue delay. Business will have to set procedures in relation to both becoming aware of data breaches and of reporting these to the Cyprus Data Protection Commissioner.
7. Rights of data subjects
The GDPR establishes several new rights for individuals and strengthens some of the rights that currently exist under the Personal Data (Protection of the Individual) Law 138(I)/2001. The GDPR provides the following rights for individuals:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
8. International data transfers
The GDPR outlines specific requirements governing when and where personal data can be transferred to third countries or international organisations. The GDPR is also applicable to data processors, (i.e. organisations which process personal data on behalf of the person who decides how and why personal data is processed) and organisations should be aware of the risk of transferring personal data to countries that are not part of the EU.
9. Responsibilities of data processors
The GDPR places specific legal obligations on a data processor. A data processor will also have significantly more legal liability than previously, if it is responsible for a breach.
10. Data protection by design and default
The GDPR contains requirements that systems and processes must consider compliance with the principles of data protection. The essence of privacy by design is that privacy in a service or product is taken into account when deciding how to carry out a processing as well as when the actual processing takes place. Organisations are required to design the data protection principles of the GDPR into the very fabric of technical systems and organisational processes. Hence, product development procedures will need to be reviewed and if required, amended.
The GDPR sets out considerably tougher penalties for organisations in breach, providing for the possibility of imposing financial penalties of up to 4% of annual global turnover of the preceding financial year or €20 million – whichever is greater. In deciding the amount of any fine, it is made clear in Article 83 of the GDPR, that the fine should “be effective, proportionate and dissuasive.”
Our multidisciplinary team can provide comprehensive and holistic solutions tailored to each organisation’s individual needs for a smooth GDPR implementation including:
- Prepare a tailored Gap Analysis with the changes that will affect your organization’s current setup;
- Development of a tailored and practical action plan for compliance;
- Devise and recommend tailored and practical solutions;
- Update existing policies and procedures;
- Draft new policies and procedures;
- Updating of legal documentation (e.g. client agreements);
- Provide answers to queries (Q&A service);
- Prepare relevant notifications to the Data Protection Commissioner;
- Data protection audits / health checks;
- Training and education on new regulatory requirements.
For more information, please feel free to contact us.