The General Data Protection Regulation (the “GDPR”), after years of preparation has been approved by the European Parliament on 14 April 2016 and has entered into force on the 25 May 2018. The GDPR replaced Directive 95/46 EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The GDPR was created to harmonise privacy data law within the European community and to protect and empower European citizens and to reshape the methodology through which personal data is collected and processed.
The GDPR created a framework for compliance which is applicable in all industries and to facilitate the legal and fair free movement of data across the European Union (the “EU”). The GDPR offers protection to individuals against abuse and misuse of their personal data while also empowers individuals and gives them the required tools to safeguard their rights. The GDPR has crystallised rights so that adequate protection with regards to the collection and distribution of data is protected.
Glossary of Terms
The GDPR has in place definitions to ensure clarity, so every EU individual would be aware of their rights and obligations. The most important definitions which are defined in the GDPR are the following:
‘Data Controller’– ‘the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
‘Data Subject’- ‘an identifiable natural person (as opposed to a legal person) who can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more physical, physiological, genetic, mental, economic, cultural or social identity of that natural person’; and ‘Processor’– ‘a natural or legal person, public authority, agency or other bod which processes
personal data on behalf of the controller’.
What is Data?
Data Protection is the protection of personal data.
The GDPR defines Personal Data as being ‘any information relating to an identified or identifiable natural person’ (the “Data Subject”). Therefore, only natural persons are afforded protection of data under the GDPR and hence such protection does not extend to companies, administrative bodies etc.
Personal data can be defined as the identification of a Data Subject. Therefore, collecting different pieces of information about an individual which altogether can lead to the identification of a Data Subject, would constitute personal data. Personal Data includes: name, surname, residential address, e-mail address, identification card number, location data, IP address etc. Personal Data can be accessed through emails, physical files, websites, software storage, directories, agreements etc.
Hence, nowadays we notice a large increase in the quantity of data exchanged and it has become far easier to access data. Following such increase in data access, there is also a high risk of experiencing breaches and losses of data. In fact, the main aim of the GDPR is to increase the much needed precautionary measures to ensure that there is no data breaches.
What is a Personal Data Breach?
A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised, disclosure of, or access to personal data transmitted, stored or otherwise processed. What is important to understand about personal data breaches, is that any accident impacting personal information would tantamount to a breach. Therefore, by simply losing a paper which contains the personal information of a Data Subject would constitute a personal data breach.
A data breach is a security incident in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.
A data processing organization (controller or processor as defined above) should take every possible measure to eliminate the risk of data breaches but in reality nobody can practically guarantee on 100% security on data or a system. Considering this practical risk of data breach run by organizations, the GDPR provides for a comprehensive set of regulations to deal with a data breach incidents.
Key Changes brought about by the GDPR
Following the introduction of the GDPR within the EU there are several changes which have taken place such as;
Increased Territorial Scope
The GDPR applies to all companies processing personal data of Data Subjects residing in the EU, regardless of the Company’s location. It applies to the processing of personal data by Data Controllers and Data Processors in the EU, regardless of whether the processing takes place within the EU or not. The GDPR is also applicable to the processing of personal data of Data Subjects in the EU by a Data Controller and a Data Processor not established in the EU where the activities relate to the offering of goods and services to EU citizens and the monitoring behaviour that takes place with the EU.
Conditions for consent have been strengthened with the introduction of the GDPR. Companies are no longer able to use long and illegible terms and conditions as the request for the consent. Consent has to be expressly given in an intelligible and easily accessible form with the purpose of data protection of Personal Data attached to the consent.
Consent must be clear, distinguishable from other matters and expressly provided, using clean and plain language by the Data Subject, such as ‘I give consent’. Apart from giving Data Subjects the option to expressly give consent, the Data Subjects giving consent must also be able to withdraw their consent at any time, being one of the Data Subject rights envisaged by the GDPR.
Data Subject Rights
The GDPR brought about further changes with regards to the Data Subject rights. Data subjects have been vested with rights under the GDPR to ensure that their personal data is protected at all times. The Data Subject has been vested with the following rights under the GDPR:
- right of information – the Data Subject has a right to ask any data controller and/or processor for information, about what personal data is being processed and the reason why such is being processed;
- right to access – the Data Subject has a right to obtain from the data controller and/or processor access to personal data being processed. Moreover, the Data Subjects have the right to have record and copies of their own personal data;
- right to rectify – this refers to the right of a Data Subject to ask for any modifications to the personal data in case the personal data needs to be updated;
- right to erasure/ to be forgotten – this is in relation to the right to ask for the deletion of personal data. or to cease further dissemination of data and potentially have third parties halt the processing of data;
- right to restrict processing – the right to object to a decision based on automated processing;
- right to be notified – right to be notified on several matters such as personal data breaches;
- right to data portability – right to provide the Data Subject with the ability to ask for a transfer of the personal data;
- right to object – this relates to the right to object to processing of their personal data; and
- right to appropriate decision making – the Data Subjects have a right not to be subject to a decision based solely on automated processing, including profiling.
These rights empower Data Subjects to have control of their own personal data and to have the freedom to use their personal data however they want.
Breach notification is mandatory in all member states of the EU. One of the rights of the Data Subject is to be duly notified when there has been a personal data breach. Breach notification kicks in when a data breach is likely to result in a risk for the rights and freedoms of individuals. The GDPR lays down, in cases of data breaches, a notification procedure which has to be followed within seventy two (72) hours of first becoming aware of the breach.
Apart from having the obligation to notify the Data Subject, data processors should also notify the controllers and the Data Protection Officer (the “DPO”) (if any) without undue delay after first becoming aware of the breach. The GDPR ensures that when a personal data breach occurs and personal data is compromised, the Data Subject is afforded the appropriate protection and retrieve the data in due time which was in breach.
Data Protection by design and by default
The controller shall, both at the time of the determination of the means for processing and at the time of processing itself, implement appropriate technical and organisational measures, which are designed to implement data protection principles. These measures are to be implemented in an effective manner and should also integrate the necessary precautionary measures when processing data.
The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which is necessary for each specific purpose of the processing are processed. Such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
The appointment of a Data Protection Officer
The GDPR specifically lays down that DPO shall be appointed when:
- The processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- The core activities of the controller or processions consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of Data Subjects on a large scale; or
- The core activities of the controller or the processor consist of processing personal data relating to criminal convictions and offences.
The DPO shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks. The DPO shall in performance of tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
Data Protection Impact Assessment
When processing personal data, especially when using high technology, the data controller and/or processor must take into account the nature, scope, context and purposes of the processing. When processing is likely to result in a high risk to the rights and freedoms of the natural person, the data controller and/or processor shall carry out an impact assessment on the envisaged processing operations on the protection of personal data.
Data Protection Impact Assessment is mandatory in the following cases:
- Where there is a systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce effects concerning the natural person or similarly significantly affected the natural person;
- Processing on a large scale of sensitive personal data and personal data relating to criminal convictions and offences; or
- Systematic monitoring of publicly accessible area on a large scale.
Violation of the GDPR rules and regulations is no longer a trivial offence. Companies in breach of the GDPR can be fined up to four percent (4%) of the annual global turnover or twenty million euro (EUR 20,000,000), depends on whichever is higher. This is the maximum fine as there is a tiered approach to be adopted according to the breach. The penalties are applicable to both controllers and processors.
The GDPR has been created by the EU in order to avoid personal data breaches as much as possible. The Regulation emerges from the idea that personal data belongs to the person who ‘owns’ that particular data, and any misuse of such data by any other third party shall be liable to penalties. Personal Data is very prestigious, because each and every individual has personal data which could identify him/her as an individual. The GDPR gives individuals the right to use such personal data without risking personal data breach. Individuals shall be able to enjoy their own personal data, and share such data with whomever they want, however any Data Subject should always be in a position to exercise the right to retrieve any data shared or given.