fbpx

How will GDPR affect your business?

Mar 5, 2018

How will GDPR affect your business?

Lately, the main focus of both the legal and the business environments has been the General Data Protection Regulation, or most commonly referred to as the GDPR, which shall be applicable starting with May 25th, 2018.

But, what is the GDPR? Will it affect your business? What do you have to do? What are penalties for non-compliance? These are just some of the questions that everyone is asking.  

First of all, it is necessary to understand what personal data is. Personal data means any information relating to an identified or identifiable natural person (“data subject”), for example name, contact details, image, performance appraisal information, also dynamic IP address and metadata etc. There are also special categories of personal data, which include racial or ethnic origin, health records, genetic and biometric data, religious and political beliefs, trade union membership, commission of crime, sexual orientation etc.

What is the GDPR?

The concept of data protection is not a new one, currently being regulated by Directive 95/46/EC (the “Directive”).

However, given the rapid technological developments and globalisation that have brought new challenges for the protection of personal data, as well as the significant increase in the scale of the collection and sharing of personal data, the European regulator decided to introduce a new act that will face these challenges and provide an enhanced level of security to the personal data of individuals – i.e. the GDPR.

 Does the GDPR apply to you?               

As compared to the Directive, the GDPR seeks to extend the reach of EU data protection law, being applicable to:

  • Controllers/processors with an establishment in the EU regardless of whether the processing takes place in EU or not
  • Controllers/processors outside the EU, if personal data of data subjects in the EU are processed in connection with:
  1. offering of goods or services to data subjects in the EU, irrespective of whether a payment of the data subject is required; or
  2. monitoring of behaviour of data subjects in the EU

In order to better comprehend the extent of the obligations introduced by the GDPR, we have to start by clarifying two main concepts largely used in the GDPR, respectively:

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data or, in other word, any business who processes personal data in its day to day activity.

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

 What is new?

Several new principles, obligations and sanctions are regulated by the GDPR, the most important being:

  • Transparency and Consent – the information to be provided to and permissions required from individuals to justify use of their personal data. The GDPR’s requirements, including for consent to be unambiguous and not to be assumed from inaction, will mean that many data protection notices will need to be amended.
  • Children and consent – for online services which rely on consent to processing, parental consent is required for use of a child’s personal data.
  • Pseudonymisation – a privacy enhancing technique where information which allows data to be attributed to a specific person is held separately and subject to technical and organisational measures to ensure non-attribution.
  • Personal Data Breach – a new security breach communication law is introduced for all data controllers regardless of their sector.
  • Data protection by design and by default – organisations are required to adopt significant new technical and organisational measures to demonstrate their GDPR compliance.
  • Enhanced rights – Data Subjects are given substantial rights including the right to be forgotten, data portability rights and the right to object to automated decision making.
  • Obligation to appoint a Data Protection Officer (DPO) in certain cases.
  • Substantial fines – up to EUR 20.000.000 or 4% of total world wide group annual turnover, whichever is higher.

 What is necessary to do?

Controllers/processors will have to take measures for compliance with the GDPR, for example:

  • Internal audit and risk analysis;
  • Ensuring security of personal data;
  • Checking of consents / determining other legal grounds for processing;
  • Checking and updating internal regulations;
  • Checking / updating / drafting of contracts (agreements on processing);
  • Data protection impact assessment;
  • Appointment of DPO (if necessary);
  • Detailed compliance documentation;
  • Staff training.

In conclusion, the GDPR imposes new and stricter obligations for controllers/processors established inside and outside the EU, as well as harsher sanctions than the previous legislation.

The key to ensuring that your business will not be affected by such changes is to apply adequate measures – some of them previously presented – in view of adapting your activity in compliance with the data protection legislation.