Whether your business operates outside of Europe or not it will be affected by the European data protection reform, if you handle EU citizens personal data. The reform includes the General Data Protection Regulation (GDPR) and the Data Protection Directive for the police and criminal justice sector (DPD). The GDPR will apply to all EU member-states, including Denmark and Sweden, from the 25th of May 2018 and is the part of the reform that directly affects both individuals and businesses processing data.
In the case of Norway, since they are not members of the EU but is part of the General European Economic Area (EEA), there is a special procedure to enact the GDPR. Until then, the GDPR will not enter into force in Norway.
The main objective of the GDPR is to enhance the protection of individual’s personal data. That is, any digital information relating directly or indirectly to an individual’s specific physical, physiological, genetic, mental, economic, cultural or social identity. The GDPR also addresses personal data issues from a more modern perspective since the previous regulation is from 1995 and the global digital market has changed drastically since then.
Personal data is processed by both public or private entities who determine the purposes and means by which they process said data. Data processing involves collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, disseminating, erasing or destructing personal data. This means that practically every business and public entity with online services available in Europe will be within the scope of the GDPR.
The key aspects brought by the GDPR for businesses to consider revolve around three main topics: the reinforcement of an individual’s rights regarding their personal data, an increase in compliance standards and the veer towards a stronger enforcement of these rules.
Enforcement of individual rights
Placing individual rights at the centre of the regulation is a major change brought by the GDPR. This shift includes recognizing that individuals, as the true owners of their personal data, have a minimum set of rights and freedoms in relation to that data, and that the entities with the means of processing such data must not only respect individuals’ data rights but they must be held accountable for processing personal data in an inappropriate manner or not keeping it safe enough.
The GDPR includes two major changes in relation to individual rights: the territorial scope and the list of citizens’ rights.
The first change, and arguably the most important one, is the broadening of the GDPR’s territorial scope. This means that the GDPR will apply to the processing of:
1. Data collected by European companies, regardless of whether the processing takes place within the EU or not.
2. Data belonging to people in the EU collected by a company not established in the EU whose activities involve offering goods or services (with or without a price) or the monitoring of people’s behaviour within the EU.
3. Data collected by companies not established in the EU, but in a place where EU member-state laws apply.
This shift means that European data protection authorities will have the power to impose sanctions on non-European companies that process personal data if there are breaches to the rules of the GDPR and if they involve the personal data of EU citizens.
The second major change in terms of individual rights is the implementation of the following list of citizens’ rights regarding their personal data:
1. Mandatory breach notification: If a hack might result in a risk to the rights and freedoms of individuals, data processors must notify that individual within the first 72 hours of becoming aware of the breach. This includes notifying customers and data controllers.
2. Right to access: Companies processing or controlling data shall provide, upon request, a free copy of the personal data they possess and a confirmation of whether they use the individual’s personal data, how and for what purpose.
3. Right to be forgotten: Also known as data erasure, it entitles individuals to request that companies erase the individual’s personal data, cease further dissemination of such data and have third parties halt processing of said data.
4. Data portability: Individuals will be entitled to receive any personal data concerning them and transmit that data to another controller.
5. Privacy by design and by default: Companies processing data must integrate the necessary safeguards so that only the personal data necessary for each specific purpose is utilised and recorded.
Compliance is always a major topic in any regulation since it is the main prevention mechanism used by lawmakers. Complying with regulations is the ideal way of avoiding legal trouble and costly fines, because by being compliant one is necessarily acting legally. Prevention is usually the cheaper alternative to fines or other penalties. Such is the case with the robust fines made possible by the GDPR.
The key changes for compliance purposes are guided to alleviate the bureaucratic burden for companies processing personal data belonging to citizens of more than one EU country by integrating data protection authorities (the “one-stop-shop” mechanism) and motivating better internal practices within data processing organizations.
The “one-stop-shop” mechanism is a novel integration system. Under the GDPR, the lead supervisory authority will be able to handle local cases where the controller or processor of personal data is established in more than one country, but the matter concerns only processing carried out in a single member-state. This means that local supervisory authorities must start cooperating with the leading authority so that the latter can handle new cases.
This mechanism alleviates bureaucratic nightmares to multinational companies since only one regional supervisory authority, operating under only one procedure, will control their processing of personal data, instead of having up to 28 different authorities overlooking them.
The second key change brought by the GDPR regarding compliance is the necessity of appointing a Data Protection Officer (DPO) to improve internal record keeping within companies processing or controlling personal data. This obligation will apply specifically to those companies whose core activities consist of processing personal data on a large scale, or processing data relating to criminal convictions and offences.
The key characteristics of the DPO position are:
1. The candidate must have experience in data protection law.
2. The candidate can be either a staff member or external service provider.
3. The candidate’s information and background must be reported to the relevant supervisory authority.
4. The DPO must have the appropriate resources to carry out their duties.
5. The DPO shall report to the highest level of management.
6. Duties that involve conflict of interest are not to be carried out by the DPO.
If compliance is on one side of a coin, enforcement is on the other side of it. It is the main corrective tool utilized by the GDPR and it focuses on cases when a contravention, breach or offence has been produced by a data controller or processor. The last key change that will be implemented by the GDPR when it enters into force will be the creation of stronger enforcement rules in comparison to the 1995 Directive.
If companies processing data breach their obligations under the GDPR, they may be subject to economic sanctions imposed and enforced by data protection authorities. Let’s not forget that under the new territorial scope, both EU and non-EU companies that in any way process, within the EU or not, personal data of EU citizens are also under the control of these authorities.
For serious infringements, such as not having sufficient customer consent to process data or violating the right to privacy by design, the GDPR contains fines that may rise to 4% of annual global revenue for the preceding year or €20 Million, whichever is greater.
For less serious infringements, like not having records in order, not notifying data authorities and/or customers about data hacks or not conducting impact assessments, the GDPR can enforce fines of up to 2% of the annual global revenue for the preceding year or €10 Million, whichever is greater.
The entering into force of the GDPR will be a much-needed legal update, since it addresses certain privacy issues that have arisen from the colossal expansion of the global digital market in the present century, such as the processing of personal data by companies overseas. The GDPR also brings in a stronger set of penalties and easier compliance mechanisms to diminish the damages from data misuse by those entities and from data breaches or hacks.
We believe that information should be free and will therefore never put up a paywall.
If you like reading our reports about the Scandinavian business scene and would like to donate towards the upkeep of the site, we would be very grateful. Click here to donate.