8 November 2017
As of 25 May 2018 the General Data Protection Regulation (GDPR) will be directly applicable in every EU Member State, replacing the current European data protection laws. Please find herewith an overview of the key new elements in the GDPR.
SCOPE OF THE GDPR
The GDPR extends the scope of European data protection laws. Not only EU based organizations will have to comply with the GDPR. Also non-EU based organizations will have to be GDPR compliant when they offer goods or services to persons in the EU or if they monitor the behavior of persons in the EU. Furthermore the GDPR not only includes obligations for data controllers, but the GDPR also extends the obligations for data processors.
LAWFUL PROCESSING - CONSENT
As under current law, the GDPR regime obliges organizations to determine the lawful basis of processing before starting with the processing of personal data. One of these lawful bases to justify the processing is obtaining consent of the data subject. The GDPR makes obtaining consent significantly more difficult. It must be freely given, specific and based on an informed and unambiguous identification of an individual's whishes. The consent must be an affirmative action, which leads to prohibition of pre-ticked boxes, technical settings, bundled consent or another form of inactive opt-in. Also, when you request for consent, the request must be given in simple language and separate from other terms and conditions. The withdrawing of consent must be as easy as giving consent.
The focus on accountability is new under the GDPR regime. The key to accountability is the ability to demonstrate compliance. This can be demonstrated by implementing measures to meet the principles of data protection by design and default, implementing appropriate technical and organizational measures to prove your compliance and keeping records of all data processing.
The GDPR requires organizations to maintain relevant and detailed documentation of the data processing that takes place within the organization. Think of the use of CCTV monitoring, customer data and personnel administration. The documentation duty replaces the former obligation to notify the national supervisory authority when personal data is processed. Processors as well as controllers have to register their processing activities. The benefit of registering the processing activities is that it will simplify demonstrating compliance with the GDPR.
Data Protection Officer (DPO)
Public authorities will have to appoint a DPO, and other organizations as well if they carry out large scale systematic monitoring of individuals as core activity or process special categories of data on a large scale as core activity. A DPO should be an independent person, who advices the organization on the processing of personal data. The DPO should also rapport on compliance with the GDPR.
Data Breach Notification Duty
Data breaches have to be reported to the supervisory authority within 72 hours. The affected data subjects have to be informed without undue delay. This duty has already been implemented in the Netherlands since the beginning of 2016, but the GDPR refines this duty.
Data Protection Impact Assessment (DPIA)
The GDPR obligates to conduct a DPIA in case the processing entails a high risk for data subjects. The DPIA must be performed before commencing the processing of personal data. When conducting a DPIA, you must define the exact processing, assess the privacy impact and lay down necessary security to avoid risks. This allows to you create privacy by design, which is tailored to the precise privacy needs of your type of processing.
RIGHTS OF THE DATA SUBJECTS
In general, organizations can expect a set of new and strengthened rules to safeguard a higher level of privacy protection in the EU. Some rights, such as the right to restrict processing, the right of access and the right not to be subject to automated decision making, remain mainly the same under the GDPR. However, the GDPR does expand the right to be informed considerably. Organizations will have to inform data subjects more extensively, clearly and in an accessible manner about the processing of their personal data. The GDPR also expands the right to erasure by eliminating the threshold of unwarranted and substantial damage in order to have a right to be forgotten. The GDPR furthermore establishes new rights, such as the right to data portability. This means that you may have to transfer personal data to the data subjects, or to a new provider at their request.
The GDPR empowers supervisory authorities to impose administrative fines up to a maximum of 20 million euros or 4% of the worldwide turnover of an organization, whichever is higher.