With the ever increasing hype and discussion regarding the upcoming implementation of the GDPR, micro-businesses as well as affected professionals, have definitely wondered at how this regulation will in someway or another affect their business. But what is the GDPR? The General Data Protection Regulation, or as it is being called in short GDPR, is an eleven-chapter regulation coming into effect, on the 25th of May 2018. The regulation, which was approved by the EU Parliament following four years of preparation and debate, intends to replace its former predecessor, the Data Protection Directive 95/46/EC. Aim of the regulation The aim of the regulation is to protect EU-domiciled personnel from privacy and data breaches in today’s digital world. The 1995-based regulation, which has not been updated in over two decades, underwent a thorough restructuring, with new key points being added as well as having parts of the old articles revamped to accommodate and regulate the fast changing, data-driven world in which we live nowadays. The new regulation has nine key points on which it is structured. These include penalties, consent, four data subject rights, privacy by design, and perhaps the two most disruptive points of all, the data protection officer appointment and territory. The Regulation The regulation was redesigned to increase the territorial coverage of Data protection making this one of the biggest changes in the regulation itself. The extra-territorial applicability affects controllers and processors that in any form or another, process private and confidential data of EU-based customers, irrelevant of their established location and whether a payment is required for the rendering of the service/good, or not. This means that if a US company is rendering a service to an EU based customer, and certain private data is required for the rendering of the product or service, the US company is deemed required to operate within the GDPR regulatory framework and therefore subject to its penalties if a clause is breached, even though the processing of the regulation did not take place in the EU. Furthermore, non-EU businesses processing the data of EU citizens, are deemed to appoint a representative in the EU. In this way, the GDPR has the applicability clauses clear and not ambiguous, as its preceding directive. In addition to this, customer-consent conditions have been strengthened. With the implementation of the GDPR, companies will no longer be eligible to use long illegible terms and conditions full of legalese. Consequently, request for consent must be given in an intelligible (readable) and an easily accessible form with a clear purpose as to why consent is needed and as to why and how data will be processed, all using clear and plain language that is easily understandable by the most adverse of customers. Furthermore, the withdraw of consent by a customer is to be as easy and facilitative as to give it.
Another important aspect of the GDPR, is the handling and storage of data. Data systems owned by controllers, have to have adequate technical and organizational measure in order to satisfy the requirements of the regulation. This is referred to as the Privacy by Design concept. The design (system) has to have effective ways so as to allow the controller to implement the appropriate technical and organization measures in line with GDPR, whilst being secure and held to the latest digital security specifications. One must also note that GDPR also covers ‘Cloud’ data storages as a system of personal data storage, and therefore these will not be exempt from GDPR enforcement. Furthermore, Article 23 of the regulation, requires controllers to hold the absolutely necessary data required to complete its duties. This is called data minimization. For example in situations were only a name and address are needed to complete the services/product, a contact number may be seen as additional information which will expose you as a processor to further unnecessary risks. Processors are also urged to limit the access to personal data to those needing to act out the processing and therefore increase data security.
Placing together the above, breaches of the GDPR by controllers are heavily penalized by the authorities. The serious infringements, including insufficient customer consent and violation of the core concepts of Privacy by Design, can be fined up to 4% of the total annual turnover, or else €20,000,000, whichever would be the greatest. The extent of the fines are tiered in the regulation respectively, with the penalisations being classified dependent on the level of the breach; from loss of data privacy, to not having organized records as such.
Apart from the various rights granted to the data subjects, such as notification of a breach from the controller, rights to access the data, data erasure (the right to have your data wiped from the controller) as well as data portability, the GDPR also gave rise to the appointment of Data Protection Officers. Under current legislation, controllers are required to notify the local authorities of their data processing activities. With the new regulations, notifications to local DPA (Data Protection Authority) and approval for transfers will no longer be required. Instead, requirements with respect to internal record keeping are present in the legislation together with the appointment of a DPO, a data protection officer. This will be mandatory for controllers whose core and principal activities consists of processing operations that require systematic monitoring of data subjects on a large scale.
The requirements of internal controls must include the following;
Name & contact details of the controller and, where applicable the joint controller, the controller’s representative and data protection officer
The purpose of the processing
Description of the categories of data subjects, and the categories of personal data
The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
Where applicable, transfers or personal data to a third country or an international organization, including the identification of that third country or international organisations
Time limits for erasure of different categories of data
General description of the technical and organizational security measures.
On the other hand, the DPO must be appointed on the basis of professional qualities, in particular, expert knowledge on data protection law and practices, and must not carry out additional tasks that could jeopardize objectivity or result in conflict of interest. Furthermore, the controller may wish to appoint an external DPO. This is similar to accounting services, were rather than appointing an internal executive, you may wish to utilize a service organisation for the upkeep of accounting records. The job of the DPO would be that to monitor the processing of data, report directly to the management with respect to improvements, regulatory requirements & data storage, whilst informing the authorities immediately in the case of a breach in security or loss of data. But how would your organization know whether it should appoint a DPO or not? The below flowchart will guide you whether or not it is required to do so.
Appointment of a Data Protection Officer
The regulation may be looked at as a monstrous problem stampeding through businesses that will result in loss of time and also money. However, through the implementation process, if professional expertise is sought, even just for consultation, the affect of the transitional period will be very minimal. In the end, through the GDPR, both controllers as well as customers are set to benefit.
The above summary is intended for the sole purpose of understanding and reliance on such is at users discretion. Reference and reliance to the actual legislation should always be made.