Guide to the General Data
Protection Regulation (GDPR)
The European Parliament and Council adopted the General
Protection Regulation 2016/679 on 27 April 2016, which
should provide the same level of protection, obligations
and responsibilities in all member states.
A. Why a new law?
The new General Data Protection Regulation 2016/679 ("GDPR" or the "Regulation") was signed on 27 April 2016 more than 20 years after the signature on 24 October 1995 of the Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (known as the Data Protection Directive).
This Data Protection Directive 95/46/EC aimed to reconcile the protection of the fundamental rights of individuals with the free flow of data from one member state to another, consistent with the articles 8 and 10 of the European Convention on Human Rights of 1950.
The Member States however did not all consistently implement and apply the Data Protection Directive, resulting in significant variations of the national privacy laws of the member states today. These differences made it complex for multinational organisations to achieve compliance in multiple member states, increasing bureaucracy and costs for businesses and uncertainties for the individuals.
Together with the rapid and new developments in technology (cloud computing, social media, smartphones) since 1995, a comprehensive review of the data protection legislation was highly necessary.
The Commission started the reviewing process in 2011 resulting in the adoption of the new General Data Protection Regulation on 27 April 2016.
This time the European legislator choose for a Regulation, which should provide individuals with the same level of protection in all member states and controllers and processors with the same obligations and responsibilities.
The new Regulation is also known as the most heavily lobbied text in the history of the European Union. It will enter into force in Belgium and the other member states of the EU on 25 May 2018.
B. What do you need to know?
1. It is a regulation, not a directive, and full and directly applicable
A directive is a law that sets out a result, that needs to be achieved by the member states through national laws as they deem appropriate (multiple sources of law).
It results in differences in interpretation and implementation between member states. Member states issue different guidelines and create court cases that give substance to their national legislation, which can significantly differ from the implemented national law of other member states.
There are no such problems with a regulation: a regulation is a law (one source of law) addressed to all member states in full and directly applicable. There is no need for implementation.
However this GDPR still has a large number of provisions that leave room for national member state interpretation and national approaches depending on culture, focus and priorities of the supervising authorities.
2. Data concerning an identified or identifiable natural person
This Regulation captures all information concerning an identified or identifiable natural person, including indirect personal data. Included are online identifiers, which can be personal data.
For example an IP address (especially with the new IPv6), a unique (personal) device ID and credit card numbers could all be considered as information on an identifiable person.
Pseudonymised data could be personal data, depending on how difficult it is to attribute the pseudonym to a particular individual (for example by means of additional information).
Anonymous data, that is data that does not relate to an identified or identifiable person, or data that is rendered anonymous in such a way that the individual is not or no longer identifiable could fall outside the scope of personal data. The test to determine that, should take account of all the means reasonably likely to be used, taken into account all objective factors, such as the costs of and the amount of time required to identify and taken into consideration available technology at the time of processing. Only when passed this test, anonymous data is exempted from the Regulation.
Pseudonymisation will be key, as once pseudonymised the Regulation has more relaxed rules around notification in case of a breach.
3. Extra-territorial application is possible
The Regulation primarily applies to businesses established in the European Union.
However if a company outside the EU targets EU customers it could be subject to the Regulation (country of destination rule), for example, offering goods and services to EU customers, even for free, monitoring EU customer behaviour, offering language change and accepting orders, implementing cookies, E-Commerce, information society services.
The idea is that if you want to benefit from the EU market, you have to play by the EU rules.
In all cases, the Regulation will only apply to personal data of individuals in the EU; their nationality or habitual residence is irrelevant.
4. New responsibilities for controllers and processors
The Regulation expands significantly the responsibility for controllers for the processing activity, and sets out specific rules for allocation of responsibilities between the controller and the processor.
The data protection rules traditionally did not levy heavy duties on processors (service providers) who had a duty of confidentiality and security. Processors acted within the instructions of their customers (the controller, principal responsible for the processing) and needed to provide adequate technical and administrative measures to protect personal data.
Due to today's complexity of data processing, it is no longer correct to say that providers are outside the data processing. Cloud providers for example, play a critical role for data protection.
The processor under the Regulation will face liability for non-compliance with the Regulation or for acting outside the instructions and authorities granted by the customer/controller.
It is expected that these new responsibilities will have an impact on the contractual negotiations (terms, price and responsibilities) between controllers and processors and especially between processors and sub-processors. For example big players in the cloud industry or a very small (sub) processor may be reluctant to accept additional terms or responsibilities.
The majority of the responsibilities and obligations are still on controllers.
Accountability has always been part of data protection law. However, this accountability principle has gained much more importance under the Regulation. The accountability principle of the Regulation requires that you demonstrate that you comply with the principles and state explicitly that it is your responsibility.
In order to demonstrate accountability organisations must:
Implement appropriate technical and organisational measures that ensure and demonstrate compliance (for example, staff training, internal audits of processing activities, reviews of HR policies, internal data protection policies) (1);
Document and keep detailed recordings of processing activities (2);
Appoint a DPO (data protection officer) if necessary (3);
Implement measures that meet the requirement of data protection by default:
- Creating and improving security features on an on-going basis (privacy by design) (4)
- Transparency (5)
- Data minimisation (6)
- Allowing individuals to monitor processing;
- Using Data Privacy Impact assessments where appropriate (7)
- Codes of conducts/certificates (8)
(1) Companies are expected to be designing for compliance.
Companies must understand that they are accountable for what they do with data. They will need to show that they take appropriate measures. Security must be ensured by taking reasonable technical and organisational measures that are state of the art and of reasonable cost.
(2) Maintaining records of processing activities: under the Directive, companies were expected to notify to the data privacy authorities that they processed data.
This notification obligation has been abolished and is replaced with an obligation for processors and controllers to adopt detailed processing records of much the same information (types of data lists, info on the processing, processing location, individuals, categories, purpose of the processing, security measures).
(3) Data protection officer: public authorities, organisations whose core activities involve regular and systematic monitoring of individuals on a large scale, or when the organisation conducts large scale processing of special categories of data, have to appoint a data privacy officer.
The early draft of the GDPR limited a mandatory data protection officer to be appointed to companies with more than 250 employees. This provision has not been maintained in the final version of the GDPR.
Companies that process data of a very large employee army, but do not have such processing as a core activity are not considered.
It is advisable to have the DPO report to and being in the ranks of the highest level of authority (Chief Compliance Officer or General Counsel).
The DPO should put the interest of the customer/individual first, which will not always correspond with the economical interest of the organisation.
(4) Privacy by design: is thinking of privacy during and before implementing a new product.
Privacy needs to be built in directly into technology and systems at the design phase being its most essential component, thereby ensuring the existence of privacy from the outset. Privacy by design anticipates and prevents privacy breaches before they happen, rather than waiting for the breach to happen.
Privacy by design, means that privacy is set as a default setting and built into the system: there should no action be required by individuals to maintain their privacy.
Privacy by design also expects organisations to think about the whole lifecycle of data; data should be protected from start to finish.
(5) Transparency: keeping it open is also included in the principle.
This means that stakeholders should be assured that whatever the business practice or technology involved. Organisations have to operate open and visible and according to the promised privacy policies and procedures subject to independent verification.
(6) Data minimisation: organisations need to keep the interest of the individual uppermost by offering such measures as strong privacy defaults, and appropriate notices, which are all user-friendly.
Organisations should prioritize data minimisation, purpose limitation, not distributing the data to other persons without a check of balances. This principle can be contrary to the concept of big data.
(7) Companies might need to roll out a system of privacy impact assessments. In the event that a processing is involved and there is a high risk with a new technology or the new product is designed, a privacy impact assessment has to be done before launching the new product.
(8) Adhering to approved codes of conduct and/or certification schemes: It is expected that guidelines, certifications and codes of good practices will be issued to help organisations comply.
Consent remains as a lawful basis to transfer personal data under the GDPR. However the definition of consent has been restricted.
We are now talking of "freely given, specific, informed and unambiguous consent".
Under the Directive controllers could rely on implicit and opt-out consent in certain circumstances, now the Regulation requires the individual to signal agreement for processing with a statement or a clear affirmative action. If there is any doubt as to whether consent has been given, the circumstances are construed against the controller. It may be necessary, although burdensome to keep administrative records of the consents given by the particular individuals. It goes further without any doubt that consent must be given prior to any act of processing. There are more and more requests for withdrawal of consents, which may give rise to practical problems for the activities of organisations, not only to stop further processing and thus guarantee to the individual that the data will no longer be processed.
Consent is not the only justification for processing an individual's personal data. Consent will only remain useful in cases where the processing is optional, i.e. you can easily not process the personal data when the individual refuses his consent or withdraws his consent.
'Freely' means that the individual must have a genuine choice. 'Freely' also means that the individual must have an option of withdrawing his consent without suffering any prejudice, in other words, not submitted to any condition.
7. Individuals' rights are strenghtened
An individual has a right to access, correct, delete and block his data. An individual also has the right to object to direct marketing. The Regulation preserves these rights, and introduces the new "right to be forgotten" and the "right to data portability".
Right to be forgotten:
the individual has the right to request the deletion or removal of his personal data where there is no compelling reason for its continued processing (think of the individual who wants his data delisted from search engines results) or when the individual has objected to the processing and there are not overriding legitimate grounds to justify that processing.
Not only search engines; every individual can write you and ask to have his personal data removed.
Organisations can refuse to delete the data for specific reasons, such as to exercise the right of freedom and expression and information, to comply with a legal obligation for the performance of a public interest task or exercise of official authority; for public health purposes in the public interest, for archiving purposes in the public interest and for the exercise or defence of legal claims.
the right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services (e.g. from Facebook to a new provider).
Organisations will have to provide the personal data in a structured, commonly used and machine readable form. Organisations should respond in principle within one month. An organisation may be asked to transmit the data directly to another organisation if this is technically feasible.
Profiling and automated decision-making:
individuals have the right not to be subject to decisions made automatically that produce legal effects or significantly affect the individual.
Consent will be needed if the automated decision resulting from the profiling has such a legal or similarly significant impact.
Organisations will be obliged to ensure that an individual obtains human intervention, can express his point of view, receives an explanation and challenge the decision. Such consent and rights are not applicable to automated decisions based on profiling and (i) necessary for entering into or performance of a contract between the organisation and the individual,
(ii) are authorised by law and
(iii) are based upon explicit consent.
In order to reduce or even bring such risk to zero, automated decisions may not be made concerning children, and may not cause discriminatory effects (for example showing different prices to different persons). For special categories of data, the organisation must have the explicit consent of the individual.
8. New pro-active approach notification
Before the Regulation there was no general reporting requirement. Some member states already had notification rules (Germany for example).
This Regulation introduces a duty on all organisations to report certain types of data breach to the relevant supervisory authority, and in some cases to the individuals that are affected. A breach is more than just losing personal data; it also means a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to, personal data.
The data protection authority (Belgian privacy commission) has to be notified where it is likely that the breach will result in a risk to the rights and freedom of individuals (for example, risk of identify theft, discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economical or social disadvantage). Notification should normally been made within 72 hours. Some organisations may consider not notifying because they fear claims from individuals. They should think of the greater damage that could be caused to the individuals if they are not alerted of the data breach.
Despite safeguards, it is important to plan for a security breach because even with reasonable protections, data breaches occur. It is also important to review the company's insurance coverage to determine whether a breach incident is covered by a policy.
9. Data exports are not going to be easier
Under the GDPR, personal data can only be transferred to countries with an "adequate level of protection" of personal data. The EU has so far not deemed the US to provide an adequate level of protection.
The Safe Harbour arrangement was a creation whereby companies in the US could voluntarily agree to abide by a set of privacy rules that were enforced by the US Federal Trade Commission. The student Schrems found the Safe Harbour arrangement not to offer adequate restrictions on government surveillance of personal data by the US government. Hence the European Court of Justice struck down the Safe Harbour arrangement.
After the death of the EU-US Safe Harbour, a new EU-US Privacy Shield was adopted on 12 July 2016. This Privacy Shield is neither a revolution nor a new fantastic solution and there are no new mechanisms. (Read more about the EU-US Privacy Shield by clicking here)
Apart from (i) consent, (ii) Binding corporate rules, (iii) the EU-US Privacy Shield, the (iv) model clauses contract regime is still favoured.
10. Significant fines
The fines for violating the GDPR will be 4% of an undertakings total worldwide turnover or 20 million EUR, whichever is higher.
20 September 2016
Griet Verfaillie - firstname.lastname@example.org
Learn more about this topic: subscribe to our newsletter!