What is GDPR
We all heard in the news about GDPR in 2018, but what is GDPR? In the first place GDPR or also known as EU General Data Protection Regulation is a decisive amendment in data privacy regulation from the last 20 years, it actually basis his provisions on the Data Protection Directive 95/46/EC and was particularly created to reconcile data privacy laws within Europe.
The main difference regarding the legislative framework is given by the name itself GDPR – that means it is a regulation (a legally binding act) and not only a directive (an official or authoritative instruction that outlines a goal to reach) like the previous one.
GDPR focuses on personal data – any data that provides identification information: name, identification number, location data or online identifier. General public needs to know what personal data the business uses, where and how is it stored, the way it is processed and used and its outcomes.
GDPR in essence
GDPR sets out new rules regarding what data can be stored and processed and for how much time, how shall be managed and kept safe. Its main objectives are to assure data privacy for all EU citizens, to regulate the way that public/private entities approach data privacy and of course to prevent data breaches. Data breaches that represent a risk to individuals must be reported to the DPA within 72 hours and to the person that might be affected without undue delay.
GDPR is related not only to the information stored on digital systems, but also to the paper-based data, for example, the files that are digitally stored within a system or files kept in a paper-based filing system. Companies must find a solution to index and search through their paper-based files in order to comply with GDPR obligations. A good information management implies securing all the devices that are used for clerical duties and giving strict access only to the implied parties in the process.
Who falls under the incidence of GDPR?
There are straight lines that GDPR sets up for every organisation around the world – not only those in the EU but also those consuming/offering goods and services on the European market.
It’s addressed to the small and medium-sized enterprises – SME – companies which process personal data and provide goods/services for Europeans, they might have their branches settled inside/outside the EU despite where the data is processed.
The enforcement of GDPR doesn’t really depend on the size of the company but on what type of activities it relays. Activities that pose significant risk for the individuals’ rights and freedoms, even if they are carried by a SME or by a large corporation, fall under the incidence of the law.
Whatever, some of the provisions of the GDPR don’t apply to all SME’s. For example, is no need for the companies that have less than 250 employees to keep records of their processing activities if only personal data processing is a regular activity and represents a threat to individuals’ rights and freedoms or it relates to sensitive data or criminal records.
What is a DPO or a DPA?
One major change under GDPR is the obligation for specific organisations to nominate a Data Protection Officer. A DPO is required if the data processing is led out by a public authority or a company, defined like a data controller or a data processor under GDPR, which processes operations demanding regular and systematic monitoring of data subjects or of special categories of data (for e.g. health or religious information and political beliefs) or data relating to criminal convictions and offences. A controller sets out the purposes, conditions and means of the processing of personal data, and the processor effectively processes personal data in the interest of the controller.
The DPO is involved in all issues related to the protection of personal data, in fact, he represents the first link between the data controllers and the Data Protection Authority. DPA is an independent public authority that supervises how the data protection law is applied. It gives expert advice on data protection matters and deals with complaints regarding the lack of compliance with GDPR and relevant national laws. Controllers may address to a DPA in each EU Member State.
Among other core responsibilities a DPO has a counselling role for the controller/processor and for those employees who are engaged in data processing operations, making sure that they act in accordance to GDPR and to other Union or Member State data protection provisions. He must have knowledge and raise awareness about the risks involved by processing operations, considering the nature, scope, context and purposes of processing and assure the carrying out of the activities according to the regulations in force, preserving individuals’ rights and preventing any data breach.
Obligations for the data controller
- the controller works only in partnership with the data processor that makes proof that he can fulfil their processing operations in compliance with GDPR;
- security measures must be adopted according to the GDPR;
- the controller has to inform data subjects in case of a breach and also the DPA in maximum 72 hours.
- the controller guarantees that any processing activities are taken in compliance with GDPR.
Obligations for the data processor
- data processing is realised only in respect of controller’s requirements;
- the processor has the obligation to inform the controller about any new third-parties called sub-processors, and to outline them the obligations he has with the controller;
- the processor has to inform the controller if there are instructions in their contract that can be considered a GDPR violation;
- track records must be available of all types of processing activities;
- in case of a data breach the processor has to notify the controller in the shortest time possible;
Both the data processor and the controller are required to appoint a DPO when their activities demand regular monitoring of data subjects on a large scale, or they involve large amounts of sensitive data (e.g. criminal offences).
Consent under GDPR
GDPR gives high priority to individual consent, the terms how consent is approached have been reinforced, companies’ requests for consent must be presented in a concise and systematic way, in order to be clear and easily perceived from other matters so that the data processing be attached to that consent. A key point is the fact the data subjects have the right to withdraw their consent as easy as they give it.
Data processing in regard to a child is lawful when the child is at least 16 years old, if the child is below this age the consent is given or by those with parental responsibility over the child. EU Member States may provide by law for a lower age but not below 13 years.
While processing lies on consent, the controller must prove that the data subject has given his consent for the processing of his personal data. This might involve a written statement, including by electronic means, or an oral statement.
This could be simply realised, for example, by ticking a box when visiting a webpage. By doing that a data subject clearly indicates his acceptance of the processing of his personal data. Silence, pre-ticked boxes or inactivity are not considered a consent. Consent is aimed to cover all the processing operations undertaken for the same purpose or purposes. When the processing has multiple purposes, consent should be provided for all of them.
What penalties are involved?
Any infringement of GDPR may be fined by the supervisory authority. Administrative fines, are determined by the competent supervisory authority in each individual case, paying regard to all relevant circumstances of the incident, the nature, gravity and duration of the infringement, its results, and the undertaken measures to comply with GDPR and to prevent the breach.
Companies can be fined up to 2% (or €10 Million) of annual global revenue in the last year for less important breaches or the amount may raise to 4% (or €20 Million) for more important breaches and this is the maximum point it can reach.
Minor breaches may be considered: integrating data protection ‘by design and by default’
records of processing activities, cooperation with the supervising authority, security of processing data, notification of a personal data breach to the supervisory authority,
Communication of a personal data breach to the data subject, data protection impact assessment, prior consultation, designation, position or tasks of the DPO, certification.
Major breaches may be considered: the basic principle for processing, including conditions for consent, lawfulness of processing and processing of special categories of personal data
Rights of the data subject; transfer of personal data to a recipient in a third country or an international organisation.