General Data Protection Regulation (the “GDPR”)
The EU has long been sensitive to the protection of the personal data of individuals and the regulation of the processing of such data. The latest initiative has been the passing of the GDPR which aims at strengthening the framework for the protection of individual personal data. We describe in brief, key important provisions of the GDPR.
The GDPR aims at strengthening the framework for the protection of individual personal data. From 25th May 2018, organisations that process EU residents’ personal data, irrespective of their territorial designation, are required to abide by the provisions of the GDPR or face significant penalties. The GDPR introduces a significant number of changes that will affect virtually all organisations which process personal data.
We briefly describe below, key important provisions of the GDPR.
1. Broader definition of personal data
The definition of ‘personal data’ has been broadened and provides for a wide range of personal identifiers to constitute personal data (e.g. online identifiers such as an IP address). Hence, data which may previously not have been considered as personal data may now be personal data. Organisations will have to ensure that such personal data is also protected as provided by the GDPR.
2. Increased Standard of Consent
The GDPR sets a high standard when and how consent is obtained and recorded. Organisations should establish whether consent is the correct lawful basis of processing personal data under article (6)(1) of the GDPR. The document documenting the data subject’s consent should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. Consent must be “by a statement or by a clear affirmative action” establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. The choice to withdraw his/hers consent should be provided each time and must be as easy to withdraw as to give it. Hence, organisations must review their current practices, documentation and record keeping practices regarding the obtaining of a client’s consent and amend these accordingly where required.
3. Data Protection Officers
Under Article 37 of the GDPR, the appointment of a Data Protection Officer (‘DPO’) will be required where the core activities of the organisation involve regular and systematic monitoring of data subjects on a large scale. Businesses must carry out their own assessment to decide whether the processing of personal data is a core activity for them and whether they carry out regular and systemic monitoring of special data on a large scale. If they do, they are obliged to designate a DPO and comply with the relevant provisions of the GDPR including about the DPO’s tasks and position, ensuring that such tasks and duties do not result in a conflict on interests.
4. Risk based approach and Data Protection Impact Assessments
Organisations, prior performing a Data Protection Impact Assessments (‘DPIA’), must assess whether processing operations are likely to result in a high risk to the rights and freedoms of natural persons, and determine whether a DPIA is needed to evaluate, in particular, the origin, nature, particularity and severity of that risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with the GDPR. Organisations shall need to seek prior consultation from the Commissioner where the DPIA reveals high residual risks and cannot be sufficiently addressed by the organisation.
The GDPR requires an organisation to show how it complies with the GDPR. This task covers both organisational and technological measures and the organisation must ensure and be able to demonstrate that processing is performed in accordance with the GDPR and review and update these measures where necessary.
6. Data breach notification requirements
Organisations will be required to report data breaches of personal data or sensitive personal data to their data protection authority unless the data breach is unlikely to represent a risk to the rights and freedoms of the data subjects in question. The notice must be made within 72 hours of data organisations becoming aware of the personal data breach. Where the risk to individuals is high, then, subject to several exceptions, the data subjects should be notified without undue delay. Organisations will have to set procedures in relation to both becoming aware of data breaches and of reporting these to the Cyprus Data Protection Commissioner.
7. Rights of data subjects
The GDPR establishes several new rights for individuals and strengthens some of the rights that currently exist under the Personal Data (Protection of the Individual) Law 138(I)/2001. The GDPR provides the following rights for individuals:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights in relation to automated decision making and profiling.
The GDPR, under articles 13 & 14, sets more detailed and specific information that need to be provided to data subjects prior initiating any processing of their personal data.
8. International data transfers
The GDPR outlines specific requirements governing when and where personal data can be transferred to third countries or international organisations. The GDPR is also applicable to data processors, (i.e. organisations which process personal data on behalf of the person who decides how and why personal data is processed) and organisations should be aware of the risk of transferring personal data to countries that are not part of the EU.
9. Responsibilities of data processors
The GDPR places specific legal obligations on a data processor. A data processor will also have significantly more legal liability than previously, if it is responsible for a breach.
10. Data protection by design and default
The GDPR contains requirements that systems and processes must consider compliance with the principles of data protection. The essence of privacy by design is that privacy in a service or product is taken into account when deciding how to carry out a processing as well as when the actual processing takes place. Organisations are required to design the data protection principles of the GDPR into the very fabric of technical systems and organisational processes. Hence, product development procedures will need to be reviewed and if required, amended.
11. EU representative
Under article 27 of the GDPR, organisations that are not established in the EU but are processing personal data of data subjects who are in the EU and are related to (1) the offering of goods or services, irrespective of whether a payment of the data subject is required or (2) the monitoring of their behaviour as far as their behaviour takes place within the EU, the controller or the processor should designate a representative. Specific exceptions do apply.
The GDPR sets out considerably tougher penalties for organisations in breach, providing for the possibility of imposing financial penalties of up to 4% of annual global turnover of the preceding financial year or €20 million – whichever is greater. In deciding the amount of any fine, it is made clear in Article 83 of the GDPR, that the fine should “be effective, proportionate and dissuasive.”
Our multidisciplinary team can provide comprehensive and holistic solutions tailored to each organisation’s individual needs for a smooth GDPR implementation including:
- Prepare a tailored Gap Analysis with the changes that will affect your organisation’s current setup including tailored and practical action plan for compliance;
- Devise and recommend tailored and practical solutions;
- Update existing policies and procedures;
- Draft new policies and procedures;
- Updating of legal documentation (e.g. client agreements);
- Provide answers to queries (Q&A service);
- Prepare relevant notifications to the Data Protection Commissioner;
- Data protection audits / health checks;
- Training and education on new regulatory requirements.
- Review of the Company’s DPIA including monitoring and relevant communication
- Provision of a named Data Protection Officer, as applicable
- Providing EU representative services to non-EU organisations
For more information, please feel free to contact us.