Date Published 12/09/2018
In December 2015, 20 years after the 1995 Data Protection Directive had been adopted, the EU agreed to the reform of data protection law. The new General Data Protection Regulation (the “GDPR”) was developed and came into force in May 2018.
From Directive to Regulation
The GDPR regulates data protection throughout the EU replacing its predecessor, the Data Protection Directive. As a Regulation the GDPR is directly effective and does not need to be enforced through each Member State’s national law. In implementing the GDPR, one of the aims of the EU was to ensure the same rules applied in a uniform manner throughout the Member States in order to reduce national variation in relation to data protection law.
Key Concepts and Effects
The GDPR builds upon familiar concepts previously found in the Data Protection Directive. Although several of the provisions of the GDPR are broadly similar to those contained in the prior framework, there are a several new and significant obligations.
For example, it places a higher standard on organisations affected by its implementation and introduces penalties which are more severe than those previously in force. Furthermore, the GDPR has led to the expansion of the scope of EU data protection law in the sense that a greater number of organisations will now be subject to such regulations.
The GDPR must be adhered to by every organisation that processes the personal data of European Union citizens regardless of whether the processing of such data takes place in the EU or not. Even organisations that are not established in the EU are subject to the GDPR should they process the personal data of EU citizens.
The GDPR outlines a number of roles that organisations are required to fill and seeks to ensure that the designated responsibilities of such roles are undertaken correctly. Significant roles include: Data Controller, Data Processor and Data Protection Officer.
A Data Controller is a natural or legal person, public authority, agency or other body which determines the purpose and means of the processing of personal data. It is the responsibility of the controller to implement appropriate technical and organisational measures to ensure that processing is performed in accordance with the GDPR.
A Data Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of a Data Controller.
It is a GDPR requirement that all controllers use processors that provide sufficient guarantees that the processing they undertake meets the requirements of the GDPR, thereby ensuring the protection of the rights of the data subject.
The GDPR introduces direct obligations for Data Processors for the first time. Whereas the previous Directive only held controllers liable for data protection non-compliance, processors are now also subject to penalties and civil claims by data subjects.
Data Protection Officer
Further, the GDPR will require some organisations to designate a Data Protection Officer (DPO). Organisations requiring DPOs include public authorities and bodies, organisations whose core activities involve the regular and systematic monitoring of individuals on a large scale and organisations whose core activities involve the processing of special categories of data such as sensitive personal data relating to health or criminal convictions or offences on a large scale. Additionally, organisations may designate a DPO on a voluntary basis.
The role of the DPO is to advise those who carry out processing of their obligations under the GDPR, ensure their organisation’s compliance to the Regulation and cooperate with supervisory authorities. A DPO may be a member of staff with appropriate training or an external professional with an expert understanding of data protection law and practice
Another effect of the introduction of the GDPR is that the range of individual rights relating to data protection has been extended. Greater justification and transparency is now required when dealing with the processing of an individual’s personal data. This has allowed for greater scope for objection to such processing and the introduction to the new concepts of the “right to be forgotten” and “data portability”.
The right to be forgotten or the right to erasure means that the data subject has the right for his/her personal data to be erased without undue delay where their personal data is no longer necessary in connection with the purposes for which it was collected or otherwise processed, the data subject withdraws consent from an organisation to use their personal data or personal data has been unlawfully processed.
Data portability gives data subjects the right to transfer their data from one controller to another. Where technically feasible, this must happen in a commonly used and machine readable format. The right to data portability does not apply in an event where it is necessary to process personal data for a task carried out in the public interest.
Such principles demonstrate that one of the main intentions of the GDPR is to uphold transparency and accountability as fundamental and essential concepts with regard to data protection within the EU.
Coupled with such concepts, is the introduction of the policy of privacy by “design and default.” Essentially, this involves a development of the data protection principles and security obligations under the previous EU Data Protection Directive. Privacy by Design means that any action a company takes that involves processing personal data must be completed with data protection and privacy in mind. Privacy by Default means that once a product or service has been released for public consumption, the strictest privacy settings should apply by default.
One of the most notable changes to data protection within the EU is the introduction of significant fines in cases of non-compliance. These potential fines are extremely high, thereby encouraging a culture of enhanced compliance by all organisations that are be subject to the regulations set out in the GDPR.
The GDPR sets out a two-tier system of fines. Whether an organisation falls within the lower or higher tier depends which regulations have not been complied with and the manner in which the breach has occurred.
For the lower tier of offences, a fine of €10,000,000 or 2% of the organisation’s total worldwide annual turnover in the previous year may be imposed. The lower tier of offences include breaches of privacy by design and default requirements, record keeping obligations and processing security requirements.
Potential fines of up to €20,000,000 or 4% of the organisation’s total worldwide annual turnover in the previous year may be levied against organisations that have committed offences which fall in to the upper tier category. Such offences include breaches of principles surrounding the concept of consent, infringing data subjects’ rights and the unlawful transfer of data to countries outside the EEA.
For large corporate groups, the percentage fine may attach to the turnover of the entire group. For large multi-national companies, this is a particularly significant deterrent against any slackening in internal policies introduced to deal with the GDPR.
Effects on Businesses
Due to the higher standards of the GDPR in comparison to the previous directive, it has been necessary for businesses to review and enhance their existing practices.
Despite the compliance burden, however, the GDPR has a significant benefit for businesses: due to the greater level of harmonisation of data protection laws across the EU, it is likely to be easier for businesses that sell goods or services across the EU to now take a unified approach in multiple EU states.
The GDPR clearly has a broader scope and higher standard than the directive that went before it. However, Vera Jourova, European Commissioner for Justice, Consumers and Gender Equality has expressed the view that work relating to data protection and regulation should continue. She has stated: “we will work on an assessment on the impact of the GDPR on the ground, including on SMEs, for the one year anniversary in May.”
Should you require any further information or advice in relation to the GDPR, please contact Niall Clerkin at 611 4400.