On 25 May 2018, the General Data Protection Regulation (GDPR) came into force. With even more regulations like e-privacy and personal data protection for EU institutions on the way, it’s clear that the use and handling of personal data is revolutionising.
Are your organisation’s actions aligned with the GDPR?
Citizens have more control than ever over how their personal data is used. All organisations that process the personal data of individuals within the EU need to adhere to the new regulations to be compliant.
If you’re an organisation processing personal data in Europe, targeting clients in Europe or monitoring the activities of European citizens online, you need to comply with the GDPR.
The GDPR is the largest development in data protection legislation since the European Data Protection Directive in 1995. Although the underlying principles in the Organisation for Economic Co-operation and Development (OECD) guidelines from 1980 remain applicable, it requires wide-scale privacy changes on how they’re implemented in all organisations.
Regulators will now have unprecedented power to enforce the regulation, including imposing fines and suspending personal data processing.
Regulatory issues aside, the GDPR also presents the following opportunities:
Harness the value of your data
Establish trust with your clients and stakeholders
Ensure your organisation’s strategy is fit for the digital economy
What’s the risk of non-compliance with the GDPR? In case of a breach of the GDPR, the data protection authorities can either impose a temporary suspension of your ability to process personal data, or fines amounting to 20,000,000 euros or four percent of global consolidated revenue, whichever is higher.
Organisations are required to implement a number of technical and organisational measures to protect the rights and freedoms of data subjects. This means that a privacy compliance framework needs to be put in place that’s tailored to your data processing profile and the associated risk for data subjects.
Such technical and organisational measures can include keeping records of processing activities, providing individuals with notice of their rights and employing techniques like pseudonymisation or encryption to ensure security of personal data. Additionally, you need to ensure that data you pass to third parties is handled in a manner compliant with GDPR.
Your organisation must be able to demonstrate compliance with the GDPR and that the technical and organisational measures have been designed and are operating effectively in accordance with the potential risk for data subjects. The data subjects’ rights aim to allow individuals to have control over their personal data.
Data subjects are also be entitled to sue for compensation if they suffer damage or distress by reason of non-compliance.
There are ten major changes with the introduction of the GDPR that must be taken into account when building a privacy compliance framework:
If the core activities of your organisation involve the processing of sensitive personal data or processing that requires regular and systematic monitoring on large scale, a DPO needs to be appointed. The DPO is responsible for monitoring your GDPR compliance and acts as the point of contact for the Data Protection Authorities and stakeholders.
A DPIA needs to be executed and documented when implementing new technologies or in the event that processing could result in an increased risk to the rights and freedoms of data subjects.
Processing of personal data needs to be limited to the highest extent possible and privacy risk needs to be reduced to the maximum extent. This means that your products, services, systems and daily working practices need to be designed with privacy in mind.
If a breach of personal data is likely to result in a risk to the rights and freedoms of data subjects, it must be reported to the competent Data Protection Authority within 72 hours. Communication with the data subjects might also be required.
Data subjects have the right to not be subject to a decision based solely on automated processing and may request human intervention, unless explicit consent or a legal basis is present. This restriction includes profiling.
The GDPR brings clarity on the lawfulness of data processing. You need to establish a clear legal basis that forms the grounds for data processing. Such legal grounds can be in explicit consent, embedded in a contract, to protect vital, public or legitimate interest, or based upon a particular legal obligation to keep personal data.
Data subjects have the right to request deletion of personal data if it’s no longer needed to serve its original purpose, or if a legal basis to store the data is no longer in place
Data subjects can request to transfer an overview of their personal data to another organisation in an easily accessible format.
Data subjects can object to the processing of their personal data unless a legal basis is in place.
Data subjects have the right to obtain rectification of inaccurate personal data.
Koen Maris
Assurance Partner, Cyber, Privacy & Resilience, PwC Belgium
Tel: +352 49 48 48 2096