The EU General Data Protection Regulation (GDPR), entering into force on May 25th, 2018, replaces a 1995 EU Directive on data protection. Based on its expertise on privacy and data protection Cabinet SAMMAN has been appointed by several business organizations to work and be part of the dialogue on the GDPR implementation process with supervisory authorities and other public officials. Please find below a recap of the main elements of the GDPR.
- As a Regulation, the GDPR is directly applicable in all European Union (EU) Member States, although it leaves them a little room to maneuver. Several governments have undertaken work on national provisions to this end, including France (ongoing) and Germany (adopted). The exact regulatory framework should be confirmed after the implementation of national laws, most likely without affecting the general provisions.
- Policy makers and regulators have iterated on several occasions that their philosophy and approach to the GDPR is to support and help stakeholders to boost their privacy practices and comply with GDPR rules. Hence, the deadline of May 25th, 2018, should not sound the starter gun for sanctions.
Lead supervisory authority
- The GDPR established the lead supervisory authority, responsible for supervising cross-border processing within the EU. The Data Protection Authority (DPA) of the main establishment of an organization should fill this role, but the GDPR leaves leeway for interpretation.
- The GDPR places great emphasis on the principle of accountability, which offers stakeholders the possibility of applying a variety of voluntary compliance tools, e.g. codes of conduct, certifications, data protection seals and marks;
- These tools can complement the specific mandatory requirements: keeping a record of personal data processing operations, data protection impact assessments, and appointing data protection officers.
Data subjects’ rights
- While the accountability principle represents a new approach in terms of implementation, in substance, the GDPR represents an evolution rather than a revolution in EU data protection standards.
- Some key provisions, established in the previous Directive, are further strengthened, e.g. sharing of the responsibility between organizations involved in personal data processing(controller and processor), guarantees provided to data subjects (data portability, right to be forgotten, consent, etc.).
- The accountability principle goes hand in hand with a risk-based approach encouraged by the GDPR. Organizations will have to assess possible risks of their processing activities, identify whichever are low or “high risks”, then apply appropriate protection measures.
- Data security obligations are maintained as compared to the 1995 Directive, but the GDPR recommends a list of security tools such as:pseudonymizing, encryption…
- The GDPR provides for the conditions of notifications with shared but different responsibilities for both controllers and processors to notify breaches depending on the level of risk.
- Both controllers and processors must, as a rule of thumb, notify breaches. Exceptions are awaiting clarification from regulators.
Impact on UK-based companies
- ‘Brexit’ may not have an impact on UK-based companies, provided the UK government adapts its personal data protection rules to the GDPR, as so far planned, and provided the EU and the UK reach an agreement on a post-Brexit cooperation framework. The UK’s proposal might be modelled on the current cooperation model between the EU and Norway, Liechtenstein and Iceland.
- The processing of data resulting from automated processing, including profiling, artificial intelligence, machine learning, etc. triggers additional obligations for processors and controllers.
- The GDPR maintains several legal provisions that allow the transfer of EU data subjects’ personal data to recipients in third countries, i.e. outside the European Union.
- The GDPR strengthens regulators’ powers, notably by enabling them to apply particularly hefty administrative fines, ofup to €20,000,000, or, in the case of an undertaking, of up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Public and Private sector initiatives
- Article 29 Working Party (WP29), the informal body of supervisory authorities in the EU, adopted guidelines on specific GDPR provisions, and should issue new ones in the following period.