The EU General Data Protection Regulation (GDPR) – approved last May – is the single most important change in data privacy regulation in 20 years: companies will soon have to worry about the way in which they retain and use their data. With the new Regulation (2016/679) a new season for the rights of European citizens in their relations with businesses and public administrations starts. The GDPR is a precious attempt to harmonise the rules on privacy of the various States and aims to develop a digital single market through the creation and promotion of new services, applications, platforms and software.
The Regulation entered into force on 24 May 2016 but will be enforceable only as of the 25 May 2018: businesses and public administrations therefore have two years (a reasonable amount of time, but not too large) to organise themselves and adjust to the new rules. Then the GDPR will supersede national laws such as the UK DPA, unifying data protection and easing the flow of personal data across the 28 EU member states.
The text of the Regulation substitutes the Directive 95/46/EC regarding personal data protection / privacy, conceived in a period in which only a small proportion of the European population (only the 1%) used the Internet, and there were no social media, tablets, apps, etc. Furthermore, there was no awareness of the possible scenarios and effects of the current society of electronic surveillance in which they are the same people who publish – more or less unconsciously – their personal information on online platforms and social media.
The new regulation marks an essential starting point for companies, because the cross-cutting nature of privacy – a fundamental right in the business field – will have a significant impact on enterprise management.
Citizens are at the centre of the new system. They are entitled to several rights: the right to data portability, the right to be forgotten (recognised so far only at case law level), the right to be informed in a transparent, fair and dynamic way on treatments performed on their data, the right to be informed about violations of their personal data (“obligation of notification of a data breach”). The GDPR recognises, therefore, a high and uniform level of data protection and is designed to give more control to citizens on the use of their data. It also involves a cultural change: to defend the data, means to defend the people, their identity and freedom.
The Regulation attributes significant responsibilities to companies, a change of pace, and a proactive approach. The protection of personal data becomes a strategic asset that must be evaluated before products or services – data protection principles by design and data protection by default – without the bureaucratic tendencies that have in past years relegated data protection to a mere formality (as signing an informative brochure or consenting to the processing of health related data).
Business will have the obligation to conduct a “privacy impact assessment” prior to treatment when a type of treatment is expected to require in particular the use of new technologies and – considering the nature, object, context and purpose of the treatment – may present a high risk to affect the rights and freedoms of individuals. The privacy impact assessment requires a detailed and documented analysis of the risks to the rights and freedoms of data subjects.
With the new text of the Regulation concerning the protection of personal data, the “principle of accountability” enters into our legal framework. The data controllers must demonstrate to have taken appropriate security measures effective to the aims of data protection and to have constantly reviewed and updated them. Additionally, they must also demonstrate that they are compliant with the principles and provisions of the GDPR, including the effectiveness of the measures.
The regulation provides that the adherence to codes of conduct or a certification mechanism can be used as elements to demonstrate compliance with the obligations of the data controller. In order to demonstrate compliance with the provisions of the Regulation, it is envisaged the obligation for the business owner or manager to keep a register of the data processing activities carried out under their responsibility and following their description of the security measures. The regulation specifies that the register must contain a general description of the technical and organizational security measures and – upon request – the data controller or data processor are required to make the register available to the supervisory authority.
The GDPR provides for a single set of rules applicable throughout the EU and also applicable to non-European companies that offer services or goods in the European market. Such uniformity, ensuring consistent application of data protection rules across the EU, was also designed to encourage businesses to fairer competition and to increasingly involve them in the digital single market.
Particular importance is given, in these respects, to the mechanism of the so-called one-stop-shop, which will allow a company that is active in several Member States to deal only with the Guarantor Authority of the State in which it has its main establishment. The result, in case of disputes, is to provide for a single decision applicable throughout the EU, thereby reducing costs for the resolution of these issues and providing greater legal certainty.
In the aspect of compliance, the Regulation focuses upon a risk-based approach: the data controller must be able to implement security measures taking into account the results of risk analysis in relation to data processing operations carried out within the company. Precisely for these reasons, the new discipline has kept in mind that different companies carry out different activities and risks associated with such, thus in terms of privacy those risks may vary from case to case. High-risk activities involve more stringent requirements.
The Regulation introduces into our legal system a new figure on the “Data Protection Officer” that businesses and public authorities are obliged to appoint in-house and should always be involved in all matters concerning the protection of personal data. The Data Protection Officer (DPO) will have to be in possession of specific requirements – as expertise, experience, independence and autonomy of resources, lack of conflict of interest – and will oversee the organizational privacy profiles through a work of monitoring the correct application of the EU regulation, of privacy rules and internal regulations on the allocation of responsibilities, information, awareness and training of personnel, information, advice and issuing opinions.
The DPO – who may be either an internal or external entity – will be required to oversee the privacy profiles, cooperate with the competition authority and report directly to the hierarchical apex of the data controller. The DPO will be a reference and contact point for citizens who can turn to him for all matters relating to the processing of their personal data and the exercise of their rights under the GDPR.
In the case of particular violations, interested persons, under certain conditions, may file complaints to the Guarantor Authority or to a judicial remedy with outcomes for which data controllers could face maximum fines of up to €20 million or 4% of their global annual sales.
Impact of Brexit on GDPR application in the UK
The General Data Protection Regulation, Brexit aside, will be effective from 25th May 2018 – which will be before the UK leaves the EU. As long as the UK remains a member of the EU, the GDPR will have a direct effect and will be enforced by the Information Commissioner’s Office (ICO). The GDPR would not have a direct effect as a law of the UK following the UK’s exit. Nonetheless, Article 3 purports to give the GDPR extra-territorial effect by requiring any company that offers goods or services to EU citizens or monitors their behaviour to comply with its terms. This will impact a large number of UK companies that trade with European consumers: UK online companies that have EU users or UK business that monitor the behaviour of EU residents. These companies will lose the ability to designate a lead authority and thus will be subject to supervision of each supervisory body in countries where they have customers or users, unless they have a main establishment outside of the UK within the EU. Such companies will also have to appoint a representative in the EU, which, under the GDPR, will have legal liability for their compliance. In this scenario, the UK may well grandfather the majority of existing EU regulations into domestic law to fill the gap when EU regulations cease to have direct effect, and then slowly amend them over time resulting in a broader application of the GDPR.
Finally, the GDPR requires businesses to go beyond the formal rules: executives and managers of sorts have to be actors in a profound cultural change adjusting the data protection rules determined by the incessant changes of technologies – cloud computing, digitalization, social media, applications cooperation, interconnection of databases, automated publishing online data – in enterprises and public organizations.
By Deborah Civico, Legal writer.
Global Lingo provides both Translation and Transcription services to Law Firms, Intergovernmental Organisations and Corporate Counsel. Specialising in the translation of complex, confidential legal documents into multiple languages, Global Lingo supports Litigation and Arbitration cases and also works with internal investigations units to translate and transcribe sensitive material. Contracts, lease agreements, capital markets transactions and corporate communications are all areas where Global Lingo provides industry specific experienced linguists.