General Data Protection Regulation (GDPR)
- What You Should Know - Opportunities & Risks For Your Company
Who is this for?
If you own or work for (IT or legal dep.) a small business or a multinational group of companies that process or stores personal data of persons from EU, regardless your company or processing of personal data takes place or not in EU, or simply you are interested in your data privacy rights as person – please read on!
Issue
Personal Data Protection is a legal regulation your company must comply with. Failing to do so may put your company at risks of fines up to 20M EUR.
Solution
Know your DGPR obligations and invest in data security, data-governance and management tools that help you prove and enforce your company's compliance with GDPR. July Soft offers such tools as:
Geysir Enterprise Search, Hekla DMS, Hekla CRM or Laki Extranet tools.
Disclaimer
Note that I'm a Technical IT person with extensive experience in big-data, automated data processing, data governance and management, but without any formal legal background.
This paper is "as is" (with no warranties or guaratees, express or implied and we don't assume any resposibility of any loss or damage – directly or indirectly to you/your business involving present).
This is a general guide – summary – of GDPR – that may help you – and we strongly encourage you to do so – while getting professional legal assistance.
Definitions:
PD - Personal Data – any information regarding a person (identified or identifiable)
REG - Regulation 2016/679 on Personal Data Protection
Controller - person or legal entity that decides purposes and means of PD processing
Processor - PD processor on Controller's behalf (Ex: Cloud Provider)
While Personal Data Protection by authorities is regulated by Directive 2016/680, Personal Data Protection in general and free movement of personal data within EU is regulated by Regulation 2016/679.
The difference between Directive and Regulation is that while Directive will be "cloned" in every member state with more or less accuracy while Regulation applies exactely as is to all member states automatically!
Scope of REG:
a) Material scope: "This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system." - Art. 2, p.1
b) Territorial scope: "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a Controller or a Processor in the Union, regardless of whether the processing takes place in the Union or not" – Art. 3, p. 1
As a general rule REG includes in its scope any PD processing on EU citizens regardless the place of processing or Controller/Processor!
Opportunities for businesses:
a) "The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data." - Chapter 1, Art. 1, 3rd p. of REG
This implies your business group can, starting 25th May 2018 from when REG will apply, move without any restriction PD between its entities from EU - given it comply with all other requirements REG imposes.
b) Simpler, cheaper compliancy / legal costs – Obviously, as before REG if your company/group operates in 5 member states then you need to hire 5 law firms just to make sure you comply with all national specific regulations, now starting REG will apply you have to deal with only 1 law – namely REG.
c) Many may see this as an expense but is in fact an opportunity. Being REG compliant implies you have to invest in security, data governance and audit tools, because as you will see, not doing so will place your company in a great risk of non-compliance with REG and this can expose your company to risk of fines up to 20M EUR or up to 4% of your global yearly turnover!
But, if instead you decide to buy / implement a CRM (like Julysoft Hekla DMS CRM) and/or an Enterprise Search (like Julysoft Geysir Enterprise Search) not only your company has data privacy by default / data privacy by design implemented but also your company data governance is more efficient, your operational costs decrease and in fact your business may grow just using better and faster its data – being it personal or no. Bottom line is: REG will force companies see security and data governance as an important compliance task and not only an afterthought – and this in itself is a benefical aspect or REG!
Rights of data subject that Controller must support:
- "Information and access to personal data": When asked by data subject, in maximum 1 month, Controller must reply to requestor, free of charge, in paper or electronical form all PD he has on data subject, along a list of other data, like:contact data of Protection Data Officer (employee or contractor of Controller that REG - in some conditions – requires to exist), the purposes of the processing, list of third parties that PD has been transmitted and why, etc. Failing to comply with this request may allow to data subject to fill a compliant to EU Data Protection Authority and also can ask material compensations under REG terms (Art. 12, Art. 13).
- "Rectification and erasure": When asked by a subject, Controller must without undue delay delete parts or modify data as asked by the subject.
- "Right to be forgotten" - "The data subject shall have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay.." Art. 17, p.1
- "Right to restriction of processing" – subject can ask Controller that its PD not to be processed – Art. 18
- "Notification obligation regarding rectification or erasure of personal data or restriction of processing" – Art. 19 – Controller must notificate data subject after any data deletion or update has been done under terms of any of articles: 16, 17, 18
- "Right to data portability" : "The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided..." (Art. 20, p.1)
General obligations of Controller and Processor:
"Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the Controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary" – Art. 24, p.1
In plain english the general large above statement implies Controller must ensure PD security and privacy namely prevent its availability to an indeterminate number of persons – PD must be kept technically private. Also for any PD Controller collects must have a resonable processing reasons he can demonstrate and any processing by Controller and or its Processor must be traceable!
Other obligations are:
- Notification of a personal data breach to the supervisory authority – Art. 33
- Communication of a personal data breach to the data subject – Art. 34
- Data protection impact assessment and prior consultation – Art 35, Art. 36
- Data Protection Officer – Art. 37, Art. 38, Art. 39
- Codes of conduct – Art. 40, Art. 41, Art. 42
References:
http://ec.europa.eu/justice/data-protection/
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
Stelian from www.JulySoft.net - Bucharest, 27 Nov 2017