REGULATION
The General Data Protection Regulation
The General Data Protection Regulation (EU) 2016/679 aims to set a general frame for the protection of EU citizens’ personal data and provide a concrete context for the processing of their personal data by public authorities and private companies. The regulation not only strengthens and unifies the data protection regime for EU citizens/residents, but also defines strict principles for the transfer of personal data to third countries (outside the European Economic Area, i.e. outside the 28 EU countries plus Norway, Iceland and Lichtenstein).
Organizations, both public and private, that operate within the EU or that process EU citizens’ data, must adapt to this new reality and make sure that their operations/actions are in line with the requirements of the new regulation. The real value of GDPR is that it shifts the power over personal data from the hands of organizations, to those of natural persons. Non-compliance can be costly for all types of businesses, ranging from multi-nationals down to micro-enterprises. Severe infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue based on the preceding financial year, whichever amount is higher. As a consequence, companies must not confront GDPR as just another legal framework that they should initially comply with and then overlook. On the contrary, they should set as a priority the cultivation/adoption of a privacy culture within their business environments and integrate data protection into all aspects of their day-to day operations, first as a mentality and then as a legality/necessary compliance measure.
FAQs
- Who is affected by GDPR?
GDPR applies to all companies located within the European Union or to companies which offer goods or services to, or monitor the behaviour of data subjects who are in the European Union, regardless of whether these companies are established in the EU or in a non-EU country.
- What are the sanctions for non-compliance with GDPR?
The fine that may be imposed on a company infringing GDPR may reach 4% of its annual global turnover, or 20 million Euros, whichever is higher! This is the maximum fine that can be imposed for the most serious infringements [e.g. inability to obtain the consent of a customer to legally process data or transfer personal data to a third country without implementing the appropriate safeguards provided in the regulation]. However, there is a graduation of fines. For example, a company may face a fine corresponding to 2% of its annual worldwide turnover, among others in case of non-compliance with the obligation to keep a record of processing activities, non-adoption of appropriate technical and organizational measures, failure to appoint a data protection officer when necessary.
- Who is threatened with a fine in the event of a violation?
Administrative fines may be imposed on both the controller and the processor, that could be either a natural or legal person, public authority, agency or other entity.
- What is the difference between a controller and a processor?
A controller is a natural or legal person, public authority, agency or another body that defines the means and purposes of the processing of personal data, while the processor is the natural or legal person, public authority, agency or other entity that processes the personal data on behalf of the controller.
- Should my company appoint a Data Protection Officer (DPO)?
A company or organization is required to appoint a Data Protection Officer (DPO) when:
- Personal Data is processed by public authorities
- A company regularly and systematically monitors data subjects on a large scale, or
- The core activities of the company involve processing of Special Categories of Personal Data
- What type of professional qualities should the Data Protection Officer (DPO) have?
GDPR does not refer to specific professional qualities for the Data Protection Officer other than expertise in data protection law and practices, and ability to perform the tasks described in the regulation; however, in order to effectively perform his/her tasks, it is advised that the DPO should meet the following requirements:
- Legal expertise and data protection practices, both at national and European level;
- Excellent knowledge of the GDPR;
- It is useful to have in depth knowledge of the area of activity of the data controller/processor;
- Sound knowledge of the processing operations and information systems and the enterprise-specific security needs of the data controller/processor;
- Particularly, in the case of a public authority or a public body, the DPO should also have good knowledge of the organization's administrative rules and procedures.
- A data breach occurred at my company. What should I do?
In the event that a personal data breach occurs, the company must immediately evaluate the following:
- Analyze the incident, classify it and conduct an impact assessment
- Assess whether the breach should be notified to the Supervisory Authority and communicated to the data subjects based on whether the breach is likely to jeopardize the rights and freedoms of the subjects
- Immediately take action to restore the normal functioning of the company / organization
- Record the event in the ‘Record of Data Breaches’
- Develop and implement new measures to prevent a similar occurrence.
- What are the basic obligations that an entity must meet to ensure compliance with GDPR?
Companies must meet the following obligations:
- To process legally, fairly and transparently their clients’ personal data
- To collect personal data only for defined, explicit and legitimate purposes
- Data processing should be limited to the purposes for which the personal data were initially collected
- The personal data must be kept accurate and up-to date.
- The personal data should be kept for no longer than necessary for the purposes for which they were collected
- The processing is performed in a manner that ensures the appropriate data security and protection against unauthorized or illegal processing, loss, destruction or damage.
- How GDPR will apply after Brexit?
By adopting the Data Protection Act 2018, the United Kingdom has harmonized national legislation with the general regulation by specifying and complementing the gaps left by the Regulation. This is indicative of the UK’s intention to remain in line with the strict framework of European legislation. Following Brexit, the United Kingdom will automatically be classified as a ’third country’ according to the regulation and a decision by the European Commission should be adopted to include it in the list of countries ensuring adequate level of protection.
The UK Government has clearly stated that it will seek an adequacy decision to ensure a smooth flow of data between the UK and EEA countries without need for additional measures. However, such agreement will only be implemented after Brexit becomes effective.