As we catch our breath from the rapid global technological advances and continue to navigate our way through the cloud computing era (and associated challenges), it becomes apparent that the laws regulating data protection have not moved at the same pace. The General Data Protection Regulation (or GDPR), which is applicable from May 2018, eliminates this gap. With the clock ticking, organisations will need to assess their current policies and practices and proceed to implement procedures that are in line with the GDPR. By Margarita Hadjitofi, Founder of M.Hadjitofi LLC
On the 27th April 2016 the European Parliament together with the European Council and Commission introduced the GDPR (EU Regulation 2016/679) to strengthen and unify data protection of all individuals within the European Union. With four years in the making and following lengthy negotiation, the GDPR replaces EU Directive 95/46/EC on data protection, introducing key changes directly applicable to all European Union Member States from 25th May 2018.
A key change making the GDPR one of the most discussed current topics are the hefty penalties associated with non-compliance; administrative fines of up to Euro 20.000.000 or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Turning a blind eye to data protection is no longer an option.
Importantly, GDPR broadens the territorial scope applying, not only to organisations within the European Union that process personal data of individuals within the European Union, but also to organisations outside the European Union where the processing activities are related to the offering of goods or services or monitoring behavior provided that behavior takes place in the European Union.
A useful tool to assist organisations with implementation and compliance of the GDPR is the introduction of the new data protection officer. Only organisations (whether as controllers or as processors of personal data), engaging in regular and systematic monitoring of data subjects on a large scale or processing special categories of personal data (sensitive data) are required to appoint such an officer.
As in the case of a compliance officer, a data protection officer reports directly to the highest management level of the controller or the processor and cannot receive any instructions regarding the exercise of his/her duties. The exercise of such duties must not result in a conflict of interest. Therefore, although a logical thought may be to fill the new position by giving the organisation’s compliance officer a dual role, this is not the recommended approach. The position of the Cyprus Commissioner of Data Protection on this is that if the dual role does not lead to a conflict of interest, then the compliance officer may also take on the role of data protection officer.
Organisations must not keep the personal data for periods of time longer than necessary. By way of an example, Administrative services providers (ASPs), Investment Firms and Banks in complying with anti-money laundering laws, regulations and their internal policies are required to maintain information for a period of five years from the end of the business relationship/transaction. In order to also be GDPR compliant, after such periods of time, these organisations should proceed to destroy the personal data.
In addressing the challenges of modern-day leaks and hacking, the GDPR imposes obligations on controllers and processors of personal data for implementation of appropriate technical and organisational measures. These include: (a) pseudonymistion and encryption of personal data; (b) the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing system services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. When assessing the appropriate level of security, consideration must be given to the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted stored or otherwise processed.
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of an individual, the controller is required to, not later than 72 hours after having become aware of it, notify the breach to the supervisory authority (for Cyprus this is the Commissioner of Data Protection). The individual in question has a right to be notified of the personal data breach and the controller must do so without undue delay.
If a processor becomes aware of a personal data breach then it, shall immediately notify the controller so that the controller can proceed to assess the situation and make the required notifications under the GDPR.
Organisations must revisit their forms and documents with regards to the consents obtained from individuals. Under GDPR, consent will require a clear affirmative action, establishing a freely given, specific, informed and unambiguous indication of the individual’s agreement to the processing of personal data. This could be achieved by a written statement or ticking of a box. Silence, pre-ticked boxes and inaction will not suffice for there to be valid consent. Consents must relate to specific processing operations. In the case where, data processing has multiple purposes, consent to those processing activities should cover all purposes. Consequently, general broad consents found in forms with unspecified processing operations, typically opted by organisations to catch all situations, are invalid under GDPR.
Organisations must also undertake the exercise of reviewing consents already obtained from individuals pre-GDPR, in order to assess whether these conform to the GDPR requirements for consent. Where the already obtained consents do not, new consents must be obtained.
With not much time remaining, organisations must reflect on their policies and practices so as to ensure compliance with the GDPR. Some may consider this exercise as burdensome and disruptive but the reality is this is a necessary exercise that will finally put data protection in sync with modern day technology, life and business practice.
Please contact Margarita Hadjitofi (m.h@mhadlaw.com) for further information or assistance in assessing your data processing activities, existing consents for GDPR compliance, and for creating GDPR compliant forms and processes tailored to your organisation. The above article does not constitute advice and is by no means an exhaustive list of the requirements under the GDPR.