Data protection Reloaded – The new General Data Protection Regulation as an opportunity and risk
Data protection Reloaded – The new General Data Protection Regulation as an opportunity and risk
At first, you might think that 24 months is a long time to implement new rules in a company. However, this is a mistake. Completely changing business processes within 24 months is a Hercule task. What happened? After years of tough struggles at the highest political level, the European Union was able to agree on a new General Data Protection Regulation in May 2016. It came into effect on 24.5. – largely unnoticed. The “unnoticed” is due to the fact that there is a transitional period of two years, i.e. until 25.5.2018, and that the new rules have to be applied only beginning at that date. After many companies have let the last few years go by without changing anything until they realized at the beginning of 2018 that numerous processes in the companies have to be adapted to the new realities.
Who is actually affected by the new General Data Protection Regulation? In principle, the General Data Protection Regulation must be complied with by any natural or legal person, authority or institution that processes personal data. We talk about personal data when a natural person is identified or identifiable. A natural person is identifiable if they can be identified by an identifier, location data, online identifier, or other characteristics. In summary, this means that, in fact, every company must apply the General Data Protection Regulation, since de facto every company processes data about natural persons.
It has already been the case that personal data may only be processed (including the collection and storage of data) if the processing is carried out for a specific legitimate purpose. These rules, which were applied to the original 1995 Directive (Directive 95/46/EC on the protection of natural persons with regard to the processing of personal data and the free movement of data). In addition to this specific purpose of data processing, other quality principles must also be adhered to. Until now, it has been sufficient for processing to be carried out in good faith, for a certain purpose, to the lowest possible extent, correctly, for a limited period of time and safely. The processing must now also be transparent. This means that the controller (the person who decides that and how the data will be processed) must disclose to the data subject how he processes the data. This change in the legal basis means that companies have to adapt their processes to the new legal situation. But there’s more. Even in the past it was necessary for an effective consent that the data subject had declared validly, without coercion and in full knowledge of the facts, that his or her data could be processed. These criteria, which are already very strict, are further strengthened by the General Data Protection Regulation. It is now imperative that the person responsible provides proof that he has actually obtained an effective declaration of consent.
Furthermore, the processing of special categories of data (formerly: sensitive data) will also be aggravated in the future. Special categories of data are information that is particularly worthy of protection. This is information about racial and ethnic origin, political opinion, religious and ideological beliefs, trade union membership, health data and data on sex life. What is new is that genetic and biometric data now fall into the specific categories of data. The processing of special categories of data is only permitted if the data subject has consented to the processing or if there is a legal obligation to process the data.
Besides that, criminally relevant data must be delimited. This is personal data relating to criminal convictions as well as criminal offences or related safeguards. The processing of data relevant to criminal law may only be carried out under official supervision or where permitted by Union or National law.
Already in the past, there was already a right of access of the respective data subject, with which he could ask the responsible persons what data about him is processed. As before, this information is free of charge once a year. What is new is that the deadline has been shortened from eight weeks to one month. Should the information be comprehensive and complex, the person responsible may, in individual cases, extend the deadline for the information by a further two months once; the person responsible will inform the person concerned within one month, giving reasons. There is also a major change for companies in terms of updating data. If a controller passes on data to a third party, he is also obliged to inform the third party of any changes to the data. This is to ensure that the data sets are always correct. Even more serious is the fact that the recipient of the data must also be informed of the fact that the data has been deleted.
There is also a great need for changes in companies regarding the technical framework. E.g. entrepreneurs are now obliged to ensure data portability. The respective data subject must be able to take the data from one controller to another. To do this, the responsible person must implement technical interfaces that enable portability. Data protection-compliant basic settings complete the picture. Data collection must follow the principles of privacy by default and privacy by design. This means that the technical processing as well as the default values must be designed in a privacy-friendly manner. For example, a data collection cannot begin until the data subject takes an active action. This can be done, for example, by ticking a check mark. The processing of the data must also be data protection-friendly. Personal references must be deleted unless absolutely necessary (pseudonymisation).
Technical measures oblige the responsible person not only to protect against unlawful access, but also to ensure that the data is always available.
On the organisational side, the changes are no less severe. In the past, the controller had to report the data processing to the data protection authority. Now there is a self-obligation. The controller must document which processing operations take place within the framework of his company. In order to do so not only does he have to specify exactly where the data comes from, what happens to the it and how long the it is stored, it must also clearly state, with regard to the individual data processing processes, what organisational and technical measures he will take to protect the data. The consequences when “something goes wrong” are rather unpleasant. The General Data Protection Regulation not only defines very precisely when a breach occurred (already should a third party could theoretically have access), the consequences that affect the respective controller are draconian. Not only does the responsible person have to inform the authority of the violation within 72 hours, the responsible person must also have implemented a process to inform the respective persons concerned about the violation. If the effort to inform the individual affected person is too high, the responsible person is obliged to publish the violation.
If the controller processes a particularly large amount of data and there is a high risk potential for the data subjects, the controller must also prepare a so-called data protection impact assessment.
There are two ways of controlling this: On the one hand the responsible person himself is obliged to – under certain conditions – appoint a data protection officer, who internally checks the correct processing of data. One the other hand, the competent supervisory authority has a comprehensive right to not only verify the proper compliance, but also to punish every violation. The penalty is truly enormous, in the worst cases it amounts up to EUR 20.000.000,00 or 4% of the worldwide annual turnover. It may be expected that the competent data protection authority will release a catalog of sentences in the future, which matches the respective size of the company involved, but since the regulation intends for the penalties to be “deterrent”, it’s probably in the best interest of the company to take the General Data Protection Regulation seriously.
All these changes mean that while the data protection effort in the company is increasing, it is also an opportunity. With the new regulations companies have the unique opportunity to cleanse the workflows and to redefine them in a traceable manner.
Whether or not companies make use of this opportunity, only the future will show.
SUMMARY: The General Data Protection Regulation (GDPR) was approved by the EU Parliament on 14th April 2016 and has to be enforced until 25th May 2018 by every natural or legal person, authority or institution processing and holding the personal data of data subjects. The main changes are sharply higher penalties along with new conditions for consent, stricter accountability including records of data processing, data protection impact assessments, data protection by design and for certain companies the appointment of a data protection officer. Besides the GDPR introduces data breach notification, with the obligation to report any data breach within 72 hours. Further a level of security appropriate to the risk has to be ensured, hence specific technical and organisational measures have to be implemented.
Author: Mag. Markus Dörfler, lawyer, Partner at Höhne, In der Maur & Partner Rechtsanwälte