Pub0045.htm
General Data Protection Regulation - GDPR
Paz Itzhaki-Weinberger, 13-August-2017
On April 27th,
2016 the European Commission adopted a new regulation, No.2016/679, known as the
General Data Protection Regulation (GDPR).
GDPR brings with it significant
changes in the area of personal data protection in the European Union.
However GDPR affects
not only European organizations, but exceeds EU borders and also applies
to almost all organizations operating globally dealing with data originating
for the EU or related to EU citizens or residents.
MEANING OF GDPR
Adoption & Deadline for compliance
·
GDPR replaces Data Protection Directive 95/46/EC as well as the personal
data protection laws of EU Member States!
·
GDPR is directly applicable in all countries of the EU (no transposition
to national laws required)
·
All organizations that store, process and transfer any personal
data related to EU residents (including employers processing employees personal
data, outsourcers or companies “only” sending data or storing it outside the EU)
are subject to GDPR and must amend or adopt entirely new form of work and
procedures in the way they collect and use personal information and be able to prove
such internal policies to the supervising authority
·
GDPR comes into force on 25th May, 2018
·
Companies now have less than one year to become familiar with the new guidelines,
and adapt to and comply with the new regulation before the deadline, this is
not a trivial task for many organizations.
See this link for
more details and the “Countdown Clock”: http://www.eugdpr.org/
PENALTIES
Under GDPR
organizations in breach of GDPR can be fined up to 4% of annual global
turnover
or €20 Million (whichever is greater). This is the maximum fine that can be imposed for the
most serious infringements e.g. not having sufficient customer consent to process
data or violating the core of Privacy by Design concepts. There is a
tiered approach to fines e.g. a company can be fined 2% for not having their
records in order (article 28), not notifying the supervising authority and data
subject about a breach or not conducting impact assessment. It is important to
note that these rules apply to both controllers and processors -- meaning
'clouds' will not be exempt from GDPR enforcement.
CONSENT
Conditions for consent have been strengthened, and companies will
no longer be able to use long illegible terms and conditions full of
legalese, as the request for consent must be given in an intelligible and
easily accessible form, with the purpose for data processing attached to
that consent. Consent must be clear and distinguishable from other
matters and provided in an intelligible and easily accessible form, using
clear and plain language. It must also be as easy to withdraw
consent as it is to give it.
“RIGHT TO BE
FORGOTTEN”
Also known as “Data Erasure”, the right to be forgotten
entitles the data subject to have the data controller erase his/her personal
data, cease further dissemination of the data, and potentially have third
parties halt processing of the data. The conditions for erasure, as
outlined in article 17, include the data no longer being relevant to original
purposes for processing, or a data subjects withdrawing consent. It should also
be noted that this right requires controllers to compare the subjects' rights
to "the public interest in the availability of the data" when
considering such requests.
OTHER IMMEDIATE IMPLICATIONS
There are many other
aspects of GDPR compliance, including (but not limited to): Data Portability,
Privacy by Design, Right to Access, Appointment of Data Protections Officers in
Organizations and supervision over their work, Breach
Notification etc.
EXTRA-TERRITORIAL-
GDPR a Global issue, not just EU
The biggest change to
the regulatory landscape of data privacy comes with the extended
jurisdiction of the GDPR, as it applies to all companies processing the
personal data of data subjects residing in the Union, regardless of the
company’s location (Extra-Territorial Applicability!). Previously,
territorial applicability of the directive was ambiguous and referred to data
process 'in context of an establishment'. This topic has arisen in a number of
high profile court cases. GPDR makes the issue of applicability very clear - it
will apply to the processing of personal data by controllers and processors in
the EU, regardless of whether the processing takes place in the EU
or not. The GDPR will also apply to the processing of
personal data of data subjects in the EU by a controller or processor not
established in the EU, where the activities relate to: offering goods
or services to EU citizens (irrespective of whether payment is required) and
the monitoring of behavior that takes place within the EU. Non-EU
businesses processing the data of EU citizens will also have to appoint a
representative in the EU.
SUMMARY
To summarize: the implications of GDPR seem massive, everyone is invited to seek professional advice,
also as mentioned above “The clock is ticking” and the deadline closer than
ever.
More details are planned to become available via the
following link: http://www.itzhaki-weinberger.com/