Prepare for The General Data Protection Regulation (GDPR) in EU

The Data Protection Regulations (GDPR) will come into effect on 25 May 2018. In this article, we will analyze the Data Protection Regulations under the new EU regulations, divided into 3 Parts. The new regulation will cover all business entities who are collecting & processing personal data from EU citizens, so that those Chinese companies having business in Europe have to be aware of this.


. Basic conditions and principles of GDPR.

 

Introduction

General Data Protection Regulation is a new European regulation which regulates the matter of management and security of personal data of European citizens, replacing an outdated data protection directive from 1995. Each organization must comply with the new rules from 25 May 2018, when it will take effect. You must be able to demonstrate (1) which data your organization collects, (2) how the data is used and (3) how the data are secured. According to Article 3 of GDPR, the trigger of the applicability of GDPR is not the location of the storage of the data but the fact that personal data related to a EU citizen is collected and/or processed, regardless of the nationality and/or location of your organization.

 

This means if you are doing business in Europe and are collecting and/or processing personal data from EU citizens in the framework of this business, you are subject to the GDPR.

 

In a way, this provision gives effect to the extraterritorial application of GDPR.

 

Basic Principles of Data Protection

(1) Lawful, Fair and Transparent Processing of Personal Data

Any processing of personal data should be lawful and fair.

It should be transparent to natural persons that the personal data are collected, used, consulted or processed and to what extent the personal data are or will be processed.

Natural persons should be made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing, and plain language should be used.

 

(2) Accuracy of the Data

The personal data must be accurate and correct and must be updated if required. The data controller must undertake all reasonable measures to correct or delete inaccurate or incomplete data.

 

(3) Integrity and Confidentiality

The data controller and processor are obliged to take adequate technical and organizational measures to secure the personal data they process. This entails a security against unlawful processing and access by third parties as well as against loss or loss of quality of the data. The measures to be taken must be proportionate to the risks the data are exposed to.

 

Recital 32 of GDPR lists several measures to for data controller and processor to implement this principle:

  • The pseudonymisation and encryption of personal data;
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

The introduction of this basic principle demonstrates that the concept of data protection has become more technical.

 

(4) Specific purpose

This principle is closely linked to the legality of the processing of personal data. Article 6 of GDPR sums up the purposes for which data can be processed in a lawful manner.

 

Examples of acceptable purposes are:

  • The data subject has given consent to the processing of his personal data for one or more specific purposes;
  • The processing of the data is required for the performance of a contract to which the data subject is a party;
  • The processing is required for the performance of a task carried out in the public interest.

In order for processing to be legal, it must be gathered for a specific lawful purpose and may not be used for purposes which are not compatible with the initial purpose with which the data was collected. Now there could be exceptions. According to Article 6.4 of GDPR, it becomes possible to use data for another purpose than that for which the data were originally collected. However, strict conditions must be met.

 

(5) Minimal Data Processing

The processing of personal data must be as minimal as possible and must be limited to the processing required to meet the purpose for which the data was collected.

 

(6) Limited Storage Period

This principle is closely linked to above principle of minimal data processing. The duration of storage of data must be limited to the strict minimum in the framework of the purpose for which the data are gathered. Consequently, each organization must set up a system with which the storage period of personal data can be determined and by means of which data become inaccessible after a well determined storage period. Exceptions are made to this principle in case the processing is linked to historical purposes, the public interest, statistical purposes…


. Major Changes and Highlights of this new regulation

 

1. Harmonization of the Regulations

The new General Data Protection Regulation is about to replace the old Data Protection Directive. Here is a comparison between these two types of legislative act:

 

Directive vs. regulation legislative act

The use of a different type of legislative act already implies that EU decided to regulate the matter more in depth and that the member states’ freedom to choose how they regulate the matter of data protection is limited by virtue of the new regulation.

 

2. One-Stop-Shop mechanism

Previously, companies operating in different EU Member States must adapt to the requirements of each national data protection authorities (DPAs). It was hoped that the One-Stop-Shop mechanism would provide supervision by one lead authority to companies and organizations with a presence in more than one Member State.

 

Where the One-Stop-Shop mechanism does apply, there are complex cooperation and coordination procedures for DPAs to ensure all the opinions from involved DPAs were taken fully into account.

 

An independent European Data Protection Board (EDPB) will be set up. Its role includes issuing opinions and guidance, ensuring consistent application of the GDPR and reporting to the Commission. It will also have a key role in the One-Stop-Shop mechanism.

 

All in all, when GDPR comes into effect, companies and organizations that conduct business in various EU countries will no longer need to deal with the national DPAs, and compliance will be simplified.

 

3. A More Stringent Criteria for “Consent”

The GDPR strengthens the concept of “consent” as a basis for legitimising the collecting and processing activities on individuals’ personal data, especially in the area of date profiling and processing of special categories of personal data.

 

The rules require “a clear affirmative action establishing a freely given, specific, informed and unambiguous indication”. Requests for consent should be separate from other terms, and be in clear and plain language. A data subject’s must be informed of his or her right to withdraw the consent. In addition, the data controller is required to be able to demonstrate that consent was given.

 

4. Bolster Data Subjects’ Right

One of the main ambitions of the European Commission in proposing a new data protection framework was to bolster the rights of individuals. This desire is clearly reflected in the strengthened rights of data subjects:

  • Right to access: EU citizens have the right to know upon request what personal data a company is using and how it is being used. The controller shall provide a copy of the personal data undergoing processing
  • Right to erasure (Right to be forgotten): EU citizens can expect companies to stop processing and to delete their personal data upon request, when there is no other legal ground for the processing.
  • Right to data portability: EU citizens may transfer their personal data from company to company upon request. As a result, upon request, organizations must be able to provide an individual’s personal data in a “commonly used and machine-readable format”.

5. Accountability Programme

The GDPR places onerous accountability obligations on data controllers and processors to demonstrate compliance. This includes:

 

(1) Data Protection Officers (DPO)

The GDPR requires the controller and the processor to designate a DPO to oversee data security strategy and GDPR compliance. Organizations are required to have a DPO if they conduct large-scale systematic monitoring or processes large mounts of sensitive personal data, or are a public authority.

 

(2) Maintain certain documentation

Documentation shall be maintained and implemented by data controllers and processors. This documentation must be made available to your supervisory authority on request.

 

(3) Data Protection Impact Assessments (DPIA)

Organizations must undertake Privacy impact assessments when conducting risky or large-scale processing of personal data. DPIA shall in particular be required in the case of: automated processing including data profiling; processing on a large scale of special categories of data; a systematic monitoring of a publicly accessible area on a large scale.

 

(4) Prior consultation

The controller shall consult the national data protection authority (DPA) prior to processing where a DPIA indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk. If the DPA feels that the processing would breach the GDPR, they may provide written advice and use their enforcement powers where necessary.

 

(5) Mandatory Data Breach Notification (DBN)

The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

 

Organizations must notify supervisory authority of data breaches without undue delay and, where feasible, within 72 hours, unless the breach is unlikely to be a risk to individuals; A reasoned justification must be provided if this time frame is not met. In the event of a breach, the data processor must report it to the relevant data controller; if there is a high risk to individuals, they must also be informed.

 

(6) Security of Processing

As introduced in the principle of “integrity and confidentiality”, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including interalia as appropriate the pseudonymisation and encryption of personal data, etc.

 

6. Privacy by Design and by Default

The principle of Privacy by Design introduced by GDPR requires firms and public administrations to adopt a proactive and not merely reactive approach to personal data protection, rendering necessary to provide operative procedures, configurations and safety measures safeguarding confidentiality, integrity and availability of personal data “by default” as well as “by design”.

 

Data protection and processing safeguards must become part of the “DNA” of all systems and processes.

 

7. Fines

The previous applicable rules did not provide for any real and concrete sanctions. Consequently, there was no incentive for organizations to comply with the applicable rules. This changes drastically due to GDPR.

 

Infringements of GDPR can be sanctioned by means of a fine which can amount up to 20 million EUR or 4% of global annual turnover for the preceding financial year, whichever is the greater.


. How to prepare for GDPR in 10 steps

 

Prepare for GDPR in 10 Steps.

 

1. Awareness

Make sure that the management are aware of the entry into force of GDPR and the main changes this will imply.

 

2. Data Register

Map which personal data are collected by your organization, where these data are collected from and with whom the data is shared.

 

3. Communication with Data Subjects

Privacy policies must be updated in order to give clear information to data subjects about how their personal data will be processed.

 

4. Fulfill the Rights of Data Subjects

A strategy covering topics such as data classification, retention, collection, destruction, storage and search will be required to fulfill the rights of data subjects.

 

5. Analyze the Legal Basis

Document which data are collected on which legal basis. For different legal basis on which data can be processed, different rules will apply.

 

6. Children

When data of children are collected, the parents or legal guardians of those children must give permission in order for the data processing to be valid.

 

7. Embrace Privacy by Design

Forward-thinking organizations should undertake DPIAs early during system and process design.

 

8. Appoint a Data Protection Officer

Review whether your organization is obliged to appoint a data protection officer due to GDPR.

 

9. Prepare for Data Breaches

Put in place clear policies and procedures to ensure that you can react quickly to any data breach and notify in time where required.

 

10. Review Existing Agreements

If your company has concluded contracts with data processors, subcontractors, it must be reviewed whether the agreements are compliant with GDPR and updated where needed.


Dewit Law Office | www.dewitlawoffice.be

 

Established in 1945, Dewit Law Office has its headquarters in Brussels, Belgium. Establishment over 70 years, Dewit Law Office has always maintained the principle to provide the most professional legal service to clients and dealt with numbers of different kinds of cases in Europe. As a member of SILFA, Dewit Law Office establishes long term corporation relationship with law firms in Netherlands, Luxemburg, France and Germany, etc. and provides an efficient legal service to their clients.

 

Dewit Law Office established Beijing office in 2009. It not only provides legal service to European clients related to Chinese business but also assist Chinese companies to develop their business in Belgium and Europe.