The New Data Protection Regulation
The new Data Protection Regulation: How does it affect individuals and organisations?
The General Data Protection Regulation (GDPR) was approved by the European Parliament in 2016 replacing the presently applicable Data Protection Directive 95/46/EC, taking effect after a 2-year transition period. The GDPR establishes a uniform set of rules with regards to the processing of personal data and its free movement to be applied by all EU member states. It was designed to harmonize data privacy laws across Europe to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.
In Cyprus, the national framework (‘The Processing of Personal Data (Protection of the Individual) Law of 2001’ 138 (I) 2001) remains applicable until the aforesaid date. The 2001 law entered into force so that to address privacy matters with regards to the collection, storage, processing, dissemination and use of such data. In 2003 it was amended in an effort to implement the Data Protection Directive 95/46/EC. By 25th May 2018, the GDPR will replace this framework and will be both applicable and enforceable in all EU member states, including therefore companies established or operating in such member states.
Definition of ‘personal data’
The GDPR defines ‘personal data’ as ‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;’
The GDPR refers to sensitive personal data as ‘special categories of personal data’. The special categories specifically include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The GDPR - Key Facts:
- The GDPR takes direct legal effect in all member states. Unlike the Directive, there is no need for transposition into local national law.
- The scale of the change expected is significant, requiring instant action to get ready for compliance.
Key changes include:
- a requirement to apply principles of ‘privacy by design’ and ‘privacy by default’ into the process of developing and launching new technologies, products, services, etc. Essentially, data protection safeguards will be built into products and services from the primary stage of development and privacy-friendly default settings will be customarily applied i.e. on social media, mobile apps etc.
- a new obligation to carry out privacy impact assessments
- new rights to of individuals for data portability and a ‘right to be forgotten’
- a new requirement to notify data protection supervisory Authorities if a data breach takes place
- a fine for non-compliance of up to €20 million or 4% of the global annual turnover of the organisation (whichever is higher) and
- special rules around profiling and use of children’s data.
Obligations imposed on organizations by the GDPR
The GDPR considerably increases the scope of regulatory compliance for organisations which process data on behalf of data controllers, the so-called ‘data processors’.
Article 4 of the GDPR defines “data controllers” and “data processors” as below:
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
The GDPR provides that such personal data should be processed in a manner that ensures appropriate security of personal data. Consequently, the Controller or Processor should evaluate the risks inherent in the processing of personal data and implement such measures as to mitigate such risks. The GDPR requires data Processors to implement suitable security measures, report data breaches to the Controller, maintain a register of data processing activities and seek authorisation from the Controller before allowing third parties to sub-process personal data. Such Processors will be directly liable to enforcement sanctions for failure to comply with the GDPR.
The GDPR provides much more detail than the Directive regarding the arrangements for the conduct of data processing by data Processors. Furthermore, a data processing agreement must be in place to regulate the relationship. The terms of the agreement must include obligations related to data protection breaches, the erasure of data after the provision of services ends and the cooperation with the data Controller. The GDPR re-emphasizes the prohibition on the transfer of data to countries outside the EEA, unless adequate levels of protection exist in the destination country.
The basic principles requiring the processing of personal data to be for fair and lawful purposes remain applicable but are expanded in certain key aspects by the GDPR i.e. the principle of transparency is significantly strengthened so Controllers are obligated to provide much more detailed information about how data is processed, what grounds are being used to justify fair processing and what rights individuals have to access, delete and port data and object to processing.
Where processing is based on ‘consent’, the Controller must be able to demonstrate that the data subject has actually and effectively consented to processing of his/her personal data. Consent can only be relied on if it is freely given, specific, informed and supported by an unambiguous indication of agreement from the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Furthermore, the GDPR creates an obligation on companies to notify without undue delay and no later than 72 hours, the national supervisory authority (the Data Protection Commissioner in Cyprus) of any such data breach. Such notification duty is only exempt if the Controller can prove that the personal data breach is unlikely to result in a risk of the rights and freedoms of natural persons.
Benefits brought about to individuals and organisations by the GDPR
In an effort to strengthen individuals’ rights in relation to the protection of personal data and build trust in organisations which collect such data, the GDPR provides individuals with various rights, some of which are the “right to be forgotten” which gives an individual the right to request for his data to be deleted when there are no legitimate grounds for an organisation to retain such data and easier access to data through the individual’s right to have access to information on how data is processed and also a portability right enabling the transfer of data between service providers. Such right may be exercised freely (i.e. without charge to the data subject) and must generally be met within 30 days (such limited timescales for responding to requests is likely to impose a significant burden on Controllers, which will have to take steps to make data in their systems more easily accessible to data subjects).
The GDPR establishes a uniform set of rules to be applied by all EU member states. Further it provides for the creation of the European Data Protection Board (EDPB) which works as a “one-stop-shop” for organisations. This means that organisations will be answerable and have to deal only with a single authority rather than individual national authorities. Further, the GDPR establishes a principle whereby the same rules shall apply to all organisations, regardless of where they are established provided that such organisation offers goods or services to, or monitors, processes or holds data pertaining to data subjects residing in the EU.
Breaches of GDPR and Penalties for Non-Compliance
‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of privacy by design concepts. There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (Article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment.