In January 2012, the European Commission proposed a comprehensive reform of data protection rules in the EU.
After years of negotiations, on 4 May 2016 the official text of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) has been published in the EU Official Journal L 119/1. While GDPR entered into force on 24 May 2016, it shall apply from 25 May 2018.
The objective of GDPR, as affirmed by the Commission, is to give back to citizens the control over their personal data, and to simplify the regulatory environment for businesses. The data protection reform is a key enabler of the Digital Single Market which the Commission has prioritised, and which now continues with the proposed reform of the ePrivacy rules.Contact us
Non-compliance with GDPR can trigger fines of up to 20 million EUR or 4% of the global turnover, whichever is greater. That’s perhaps not the greatest point to start with and we don’t employ scare tactics, but we know that the cost of non-compliance is usually what business owners want to know first.
The GDPR will apply to non-EU entities that process personal data of individuals in the European Union. The current condition of being “established” in the EU will disappear. The application is also not limited to processing of personal data of EU citizens, rather it concerns persons of any nationality as long as they are in the EU.
GDPR provides for the right to be forgotten (already established under CJEU case-law) but also the right to data portability. Data subjects have the right to receive their data in a structured, commonly used and machine-readable format – one of the most challenging changes for digital businesses.
The legitimate grounds for processing do not change, however relying on consent becomes more difficult, since consent will require an affirmative response from the data subject. Consent will have to be more granular (per type of processing) and used only when the data subject has a real choice in the matter.
The appointment of a data protection officer (DPO) will be mandatory for public authorities, companies engaging in regular and systematic monitoring of data subjects on a large scale, as well as for companies processing special categories of data on a large scale in Romania.
Controllers must report a data breach to the supervisory authority no later than 72 hours after becoming aware of the breach. The data breach must also be notified to the data subjects, where it is likely to result in a high risk to their rights and freedoms. The controller has the uneasy task of deciding whether the risk is high or not, and most often than not this will require specialised advice.
Data protection impact assessments (DPIAs) will be required for projects likely to result in high privacy risks, and in particular when using new technologies. In plain language, if you want to contract a cloud service, develop an app, implement smart technologies and many more, you will have to first perform a privacy impact assessment, and log the results for possible inspection.
The controller and processor are jointly liable to implement appropriate (but still state of the art) technical and organisational measures to ensure an appropriate level of security corresponding to the risks identified (see previous point on DPIA here). You will have to ensure regular testing, assessment and evaluation of the effectiveness of your (including processor’s) security measures.
What do you say, would you like to have a chat?Yes, I do!