General Data Protection Regulation (GDPR) has entered into force from May 2018 and has left an effect on organisations worldwide in relation to privacy laws. Even though more than two years have passed since its enactment, some are still uncertain about its real significance and ramifications. This article will, in a nutshell, go through the basic elements of these regulations and explain what obligations this Regulation imposes on organisations.
What is Personal Data?
Primarily, these regulations do not simply affect organisations operating within the European Union but must be complied with by all organisations that process personal data concerning individuals located in the European Economic Area.
The aim of this regulation is to strengthen the individual’s right to privacy and to protect an individual’s personal data. This includes any information that pertains to an identified or identifiable living individual (data subject) which may comprise of a name and surname, a home address, an email address, Identity Card number, cookie information, and the location data on the individual’s mobile phone.
When speaking of data processing this includes the collection, recording, organisation, structuring, storage, retrieval, use, disclosure by transmission, dissemination, erasure, or destruction of personal data.
Additionally, this Regulation is founded on the principle of transparency and personal data must be collected and processed in a transparent way in relation to the data subject. This means that it should be made transparent to data subjects and they must be made aware of what personal data is being collected and used, and to what extent their personal data will be used.
It is also important to note that any information addressed to the public or to the data subject must be concise, easily accessible, and easy to understand, and must be written in clear and plain language.
Data Controllers and Data Processors
The GDPR establishes two types of roles in an organisation: Data Controllers and Data Processors.
A Data Controller is an organisation which is responsible for gathering or using personal data of individuals including personal data of clients and employees. A data controller decides how to collect such data and what data should be collected. Thus, any entity ranging from a large scale organisation to an SMEs, once it starts to collect and process personal data it is considered to be a Data Controller. It is the responsibility of the Data Controller to ensure compliance with the GDPR.
On the other hand, Data Processors are entities usually separate from the Data Controllers that process the data on their behalf.
Moreover, a Data Controller may not collect any data which is made available to them, but in order for data processing to be lawful it must be made for at least one of the below-mentioned reasons:
- Data subjects have given their consent to the processing of their personal data for one or more specific purposes.
- Processing of data is necessary for the performance of a contract to which the data subject is a party to.
- Processing is necessary for compliance with a legal obligation to which the controller is subject.
- Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Implementation of Technical and Organisational Measures
The GDPR imposes the obligation upon Data Controllers to implement internal policies regarding technical and organisational measures to safeguard individuals’ personal data. Such measures include:
- Minimising the processing of personal data – This implies that organisations should only collect the personal data that they need from data subjects to fulfil their purpose and not more.
- The Encryption of personal data and the implementing of sufficient security protection. This must be tailored according to the nature of the organisation
- The ability to restore the availability and access to personal data in a timely manner in the event of an incident
- Enabling the data subject to monitor the data processed.
- Build awareness to employees about data protection and the requirements of the GDPR.
Record-keeping obligations
Data Controllers who have more than 250 employees or entities with an annual turnover exceeding EUR 50 million are obliged to retain a record of all data processing activities which take place by the organisation. This ensures that data collection is made in a more transparent manner. Failure to maintain such records may result in administrative fines of 10 000 000 EUR, or up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Data Breach Notification
Under the GDPR, Data Controllers must report to the Supervisory Authority (In Malta – Information and Data Protection Commissioner) any personal data breach. This must be done without undue delay and if possible within 72 hours of becoming aware of such breach. The nature of the breach including any likely consequences resulting from data breach must also be disclosed. Notification is not required when the personal data breach is not likely to result in a risk to the rights and freedoms of individuals. Therefore, each breach must be evaluated on a case by case basis and evaluate if an individual’s right to privacy is at risk.
The Right to be Forgotten
Personal data must be deleted immediately and without undue delay, when the data is no longer required for its original processing purpose, or if the data subject has withdrawn his consent and there is no other legal ground for processing the data if the data was unlawfully processed. The Data Controller can not request from the data subject to issue an erasure request in a specific form but his identity must be proven.
In conclusion, it is essential for Organisations to adhere to Data Protection laws. Should you want to ensure that your Organisation is GDPR compliant or have questions in this regard, contact SMM Group on [email protected] or +356 21237167.
Article by Chantal Chetcuti