A Video Guide to the General Data Protection Regulation (GDPR)Posted in : Business Legal on Data Security on 29 March 2017
In the first video of this series, David Fagan from Business Legal discusses implications for organisations which are likely to stem from the forthcoming General Data Protection Regulation due to be implemented in May 2018, touching on the European Data Protection Board and New Rights and Provisions under the GDPR.
* Want to know how you can train everyone in your organisation on Data Protection, in just a few simple steps? Legal-Island offer a Data Protection Elearning training solution, specific to organisations in Ireland. Please contact a member of our eLearning team on 01 4013874 or firstname.lastname@example.org to find out more.
The European Data Protection Board
The new General Data Protection Regulation has been coming for quite some time. It was originally expected to be in force for 2014 or thereabouts. However, after a long and meandering time through the European institutions, it is now set to be implemented on the 25th May 2018. So we have a little time to get prepared for it.
There previously was an organisation known as the Article 29 Working Party and what this was, was all of the European Union Data Protection Authorities coming together as one European body. That's now being replaced by the European Data Protection Board. There's also a new one-stop-shop provision which, in theory, would have been good for Ireland but in practice maybe less so.
Until recent amendments to the regulation, the lead Data Protection Authority would be that Data Protection Authority that was designated from one country to be effectively in charge of multi-national Data Protection Affairs. In simple terms, that meant instead of having to comply with perhaps 27 or 28 data protection authorities or, in fact, many more as some jurisdictions have state-level data protection authorities, a multi-national could, in theory, just have one authority with jurisdiction for it for the entirety of Europe. So, for instance, a multi-national based in Ireland could, perhaps, be regulated by the Data Protection Commissioner here, and all data protection issues across Europe could be dealt with by the Data Protection Commissioner in Ireland.
This proved, however, to be a step too far, ultimately. Due to opposition from the continent, it has been decided that although there is still a lead data protection authority, there is now effectively an appeal to the European Data Protection Board. This, in effect, removes a large portion of the one-stop-shop element of the new regulation. It may mean that we remain with a patchwork of data protection authorities. Of course, this is to be seen in practice.
It may be that there are not too many appeals from decisions of a lead authority, and in particular, it's an appeal from another authority. So perhaps, these organisations, these data protection authorities, will work in conjunction with each other and the number of appeals to the European Data Protection Board might be limited to only major matters. That would be the hope.
New Rights and Provisions under the GDPR
The Regulation brings in a couple of thoughts, a couple of concepts that have been kicked around Europe for some time. Under the new regulation, there is a right to be forgotten and a right to data portability. These are rights which have not existed previously.
In addition, under the new Regulation, there will be an obligation to appoint Data Protection Officer of an organisation in certain circumstances. Those circumstances are where there is large scale monitoring of data subjects or large scale processing of sensitive personal data. There will be stronger rules on consent. There will be few opportunities to rely upon implied consent. Reliance on silence, inactivity, or pre-ticked boxes will no longer be effective.
One important new provision in the regulation, I feel, is the provision regarding the processing of unnecessary data. For example, the supply of goods or services must not be conditional on the processing of personal data unless that processing is necessary for the supply of those goods or services.
It is possible that some organisations will still seek to process unnecessary data on the basis that they will say that it is necessary for the performance of some of the services but not necessarily all. But these services are being offered as a block on a take it or leave it basis. We'll have to see how that pans out when the Regulation is actually enforced.
There will be mandatory breach notification. Currently, there are what might be described as soft law regulations, certainly in this jurisdiction, on the reporting of breaches. They will now be mandatory under the regulation.
There will also be the concept of privacy by design. That is to say that privacy must be built into systems at the design stage. So that systems will have to be designed with privacy in mind. There's also the concept of privacy by default. In essence, that the default position should be with privacy in mind.
There will be requirements to maintain documentation on data processing activities so data controllers, that is to say those who hold or process data, will be required to maintain documentation showing their processing activities.
There's also an interesting concept in the Regulation whereby organisations which are based outside the EU, but which process data, personal data, of EU residents in connection with the supply of goods or services will be subject to the General Data Protection Regulation, irrespective of where processing takes place. At this point in time, it is only processing which takes place in Europe that is subject to European Data Protection Regulation.
However, with the passing of the new Regulation and the coming into force of the new Regulation, processing which is aimed at EU residents will also be captured, irrespective of where that processing takes place.
There are similar provisions in terms of companies which track or profile EU residents' behaviour. So effectively, behavioural advertising and that type of thing are also specifically caught by the new Regulation. Fines under the new Regulation are quite large up to a maximum of €20 million or 4% of global turnover.This article is correct at 29/03/2017
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.