GDPR: A new EU-wide data protection framework
2018, Year Zero for GDPR
In 2018, important changes will be made to the regulatory landscape for the protection of personal data in Europe. The General Data Protection Regulation (GDPR), which substantially alters the applicable rules, will take effect on 25 May 2018.
Even if this legislative text is not strictly speaking revolutionary, the changes it implements are quite significant. Firstly, instead of a European directive, which each Member State must enact in its national legislation, the European Parliament has instead established a regulation, which, in principle, is identical throughout the European Union. Secondly, the regulation also specifies how certain fundamental principles must be implemented, such as transparent data processing. And finally, because the regulation also imposes rather heavy fines on offenders.
Emphasis on transparency
The regulation ignores the purely formal measures that had been enacted under the previous directive (i.e. the requirement to declare any processing operations), choosing instead to focus on the increased transparency of data processing operations. As such, the regulation stipulates which information must be provided to people whose data is processed. The information must be complete and must be communicated in an “intelligible” form, in clear and simple language. The requirement of informed consent makes it impossible, for example, to collect data from children under the age of thirteen.
The rights of the individual whose data is collected have been extended and simplified, giving them the option to oppose data processing under certain circumstances (for example for direct marketing purposes). A person may request any data that concern him or her and which were collected by a data controller in a commonly used format so they can be transmitted to another data controller (“data portability”). Finally, people now also have the right to oppose profiling, for example based on their personal data.
Stricter obligations for data controllers
Data controllers and their subcontractors must comply with increasingly strict obligations. In everything they do, they must always endeavor to take the issue of data security into account, limiting the collected data to a minimum. In addition, they must also take every possible technical and organizational measure, ensuring it is adapted to the nature and risks associated with the processed data. Organizations that typically process large amounts of data (such as polling organizations) will be required to appoint a data protection officer. Finally, data controllers must also communicate any security breaches to the authorities, to their customers and to the people whose data they process.
Data transfers to countries with different levels of protection must be strictly limited to specific cases. Last year, for example, the European Court of Justice declared the Safe Harbor framework invalid, causing quite a shockwave. Things will probably be no different for Safe Harbor’s replacement, namely the Privacy Shield agreement, that will exist alongside the regulation.
The sanctions outlined in the regulation are particularly impressive as fines can amount to up to EUR 20 million or 4% of the company’s annual global turnover. The accountability of subcontractors has also increased.
It is not too late to do the right thing
It is not yet too late to implement the obligations arising from the GDPR. Nor must we lapse into blissful optimism however. Chances are the authorities responsible for the implementation of the new regulation will do everything in their power to increase controls as soon as it takes effect.
Which steps must a company undertake to comply with the regulation? Firstly, the company’s management must be aware of the overriding importance of personal data protection. The executive management and even the Board of Directors must take charge of this matter. They must, in certain instances, provided for under the regulation, appoint a Data Protection Officer who must ensure that the measures required for the implementation of the legal measures are effectively taken.
More specifically, the Data Protection Officer must ensure that all employees receive data protection training. They are the company’s most essential link on this level. There is no point in putting in place the most advanced protection technology if employees continue to carry around personal non-encrypted data on USB sticks. Otherwise data protection will never get out of the starting blocks.
What about ACTITO in all this?
ACTITO has chosen not to wait for the adoption of the GDPR to ensure that personal data is protected. Since the company was established, we have adopted a set of practices aimed at ensuring data security.
We have decided to manage our technical infrastructure ourselves in secure data centers around Europe, guaranteeing complete redundancy. Our staff is trained in various aspects of IT security. In the framework of the development of ACTITO, we apply development methodologies that allow us to limit the data loss risk.
We regularly undergo external audits that focus on the security of our applications and our infrastructure.
As a legal expert who is specialized in personal data protection, our Director and co-founder Benoît De Nayer has dedicated an important part of his work to keeping up to date with the latest developments. This allows us to ensure that the company is moving in the right direction. At the request of our customers, Benoît De Nayer also gives external training courses to demystify the GDPR among employees.
An opportunity for European companies
Despite the very stringent nature of the GDPR’s provisions, which may contribute to a negative image of personal data protection, we, on the contrary, think that the existence of such a unified framework is a real opportunity for European companies. It allows them to distinguish themselves from their global competitors by voicing their constant concern for the protection of the interests of both consumers and citizens.