After four years of deliberations, the EU General Data Protection Regulation (GDPR) is ready to be formally ratified by the European Council in early 2016.1 After being confirmed by the 28 member states, it should come into force by 2018, a timetable that gives affected organisations over two years to implement its provisions. The GDPR isn’t just about compliance but a change in the way the organizations must understand the gathering of customer data. Therefore, it is important how organisations both understand and implement the GDPR compliance function at the governance and risk management level.
Existing legislation is rooted in the EU Data Protection Directive (Directive 95/46/EC) promulgated in 1995, the provisions of which have been carried through into the national legislation of all EU member states. In Romania, the relevant legislation is the Law no. 677/2001. The Commission, though, expressed a view that existing legislation did not cater sufficiently to technological developments that had occurred since the time of the original directive. And particularly in relation to the rise of social networks and cloud computing, and that the legislation needed to be revisited and updated to take into account changes in the way data is used and how it can be accessed.
The Council of Ministers is currently seeking to reach an agreement on the content of GPDR, following which, there will be a two year transition period to allow national data protection authorities, (the National Supervisory Authority for Personal Data Processing in the Romania), to put in place new guidelines for compliance with the GDPR, and at the end of which all organisations in Romania will be expected to be compliant.
It is important to understand that the GDPR will be a regulation and not a directive. This means the GDPR will have immediate effect on all member states at the end of the transition period (Article 91 This Regulation shall be binding in its entirety and directly applicable in all Member States).
The proposed content of the more important provisions of the GPDR3 can be summarised as follows:
– Scope: The Regulation will apply if either the data controller or processor or the data subject is based in the EU. It will also, for the first time, apply to organisations based outside the EU if they are processing personal data of persons resident in the EU. The definition of personal data will be materially widened to catch everything that might be posted on a social network, email addresses, computer IP addresses and so on.
– Harmonisation: There will be a single set of rules which will remove the right for individual countries to differentiate their legislation. There will be a single European Data Protection Board which will be responsible for enforcement in coordination with national Data Protection Authorities.
– Privacy: It is proposed that data protection be designed into the development of business processes for all products and services and that privacy settings are set at a high level by default. It will become necessary to carry out Data Protection Impact Assessments when specific risks occur and for there to be risk assessment and prior approval for high risks. Organisations above 250 employees (or 5,000 records held) must appoint a Data Protection Officer (DPO). This position can be shared with other organisations.
– Consents: Explicit (as opposed to implicit) consents must be obtained for the collection of data and for any purpose for which that data is used. Data controllers must be able to show there was an ‘opt-in’ and that the data subject has been given the right to withdraw consent.
– Data Protection Officer: As stated above, all organisations will be required to appoint an independent Data Protection Officer. The Data Protection Officer will be expected to be competent in the management of IT processes, data security and business continuity issues affecting the holding of personal and sensitive data. The required skillset will extend considerably beyond an understanding of legal obligations. The Data Protection Officer will answer to the Data Protection Authority and it is likely there will be a large number of governance issues that organisations will need to consider.
– Notice requirements. Notice requirements will be expanded to include details of the retention time for personal data and contact information for the data controller and the Data Protection Officer.
– Breaches. The Data Protection Officer will have a personal obligation to notify the supervising Data Protection Authority of breaches in the Regulation. There is, therefore, likely to be an enormous increase in attention to data protection as so far no de minimis has been suggested to the reporting requirement. Given this and the personal responsibility of the Data Protection Officer, there is likely to be a flood of reported incidents.
– Penalties: The Data Protection Authority will have the right to impose the following sanctions for breach:
* A written warning in the case of first non-intentional breaches.
* An imposition of regular data audits to ensure rectification of the breach and future compliance fines of up to 5% of worldwide turnover or €1m, which ever is higher.
* right of Erasure: Data subject will have the right to require that any organisation holding their personal data erase that data in specified circumstan – ces which will include breach.
– Data Portability: Data subjects will be entitled to require a copy of personal data being processed.
Therefore, it is clear that the imple men – tation of GDPR will require comprehensive changes in business governance, regu la – tory risk and compliance for organisations that do not presently implement high levels of privacy protection.