What is the GDPR
The General Data Protection Regulation (EU) No. 2016/679 (GDPR or Regulation) will be applicable and enforceable throughout the European Economic Area commencing from the 25th May 2018.
The aim of the regulation is to protect natural persons with regard to the processing of personal data and on the free movement of data. It was drafted to establish a single pan-European law to replace and modernize the current patchwork of national laws that seek to protect consumer data. It introduces a rigorous, far-reaching privacy framework for businesses that operates and targets customers or monitors individuals within the EU.
The Regulation repeals Directive 95/46/EC, which was the previous legislative instrument governing the processing of personal data and free movement of such data. Is national legislation expected for its full implementation? While imposing new obligations on data controllers and processors, as well as introducing significant fines for non-compliance, the GDPR provides a lot of room for the individual EU Member States in how it will be implemented, including flexibility for derogations from at least 50 articles. Member States are trundling towards national implementation plans, however, many are still in the early stages of this process.
This discretion creates a degree of uncertainty for all businesses that are established in the EU, as well as non-EU organizations that offer goods or services or monitor the behavior of EU data subjects. Consequently, businesses are facing uncertainty and there is also the risk that harmonization will be undermined by divergent interpretations by different Member States of the Regulation.
The Office of the Commissioner for Personal Data Protection in Cyprus (CPDP), being the national regulator in Cyprus, is in the stage of putting together a new Act to deal with issues that are left open for Member States under the GDPR. Can companies prepare for the GDPR if national implementation plans are not yet in place? Companies, especially those processing sensitive personal data, will need to respond to what Member State governments are proposing for some areas of the GDPR. However, guidance for data controllers and data processors exists, including guidance by the Article 29 Working Party (WP29) on the new right to data portability, lead supervisory authorities, data protection officers and data protection impact assessments.
Further guidance on consent and profiling, data breach notifications, as well as administrative fines and data export is also expected. Whilst further guidance is expected, businesses cannot afford to wait. The time needed for compliance, especially for longer-term projects (such as records of processing and compliant contracting) need to be addressed as soon as is practicable. Businesses that operate, target customers or monitor individuals in the EU should audit their existing data practices. Companies should also immediately start maintaining a record of data processing activities. While requiring significant internal resources, this mandatory record will help companies to plan for and implement GDPR processes. Businesses should also look to renegotiate existing commercial and outsourcing contracts.
The GDPR requires that contracts with data controllers include additional obligations. As you come to renegotiate contracts, it is critical that adequate data protection clauses are added. What should data controllers and data processors do now? The CPDP suggests the following ten steps for businesses, so that they start preparing for the implementation of the GDPR:
1. Update Read the Regulation. Identify aspects that may affect your organization. Discuss them with colleagues who deal with personnel issues or technical issues of computerization or database management. If you have any questions, consult your legal advisors.
2. Activity Log Record activities of the organization which fall under the Regulation. This activity log is useful both for the internal functioning of the organization and for the implementation of the Principles of Transparency and Accountability. The controllers will have to comply with the Regulation but also to demonstrate their compliance.
4. Rights The Regulation reinforces the rights of existing citizens and in addition creates new rights. Check how these rights affect the activities of your organization. Also, discuss with your colleagues the ways in which citizens can exercise their rights. By applying the Regulation, you may need to adopt and disclose to the public a standard procedure for exercising rights.
5. Legal basis Each activity of the organization should be subject to the conditions for lawful processing as these are determined by the Regulation. Although these conditions are largely the same as pre-existing ones, each organization should be able to justify, if necessary, the legal basis on which each activity is based.
6. Consent The Regulation, as the existing legislation, distinguishes between "consent" and "explicit consent" taken for the processing of sensitive data. However, contrary to existing legislation, the Regulation sets out specific conditions for obtaining consent. If the activities of an organization are based on consent, pay particular attention to the relevant provisions of the Regulation. For the services regarding communication of information directly to a child, the consent of the guardian of the child should be given.
7. Breach of personal data The organization must take updated technical and procedural measures to protect the data that it is handling. In the event of a breach or misuse of databases, the organization may need to inform the Commissioner and/or the affected persons. Consider whether your organization's security measures meet the requirements of the Regulation.
8. High risk activities The Regulation recognizes certain high-risk activities. An organization involved in such activities may be required to carry out a risk assessment for each activity. Some organizations, due to their size or nature of activities should designate Data Protection Officers (DPOs). The DPO may be an employee of the organization or an external partner. An organization using or developing/designing computerized data processing systems or new technologies or applications should take into account the provisions of the Regulation on the incorporation of data protection by design and by default.
9. ‘One Stop Shop’ and Consistency Mechanism An organization based and operating in more than one Member State has the right to designate the Member State in which it has its headquarters and will, as a general rule, deal with the National Data Protection Authority of that state. For decisions taken jointly between separate organizations, the Regulation introduces the institution of co-controllers of processing. For cross-border cases involving the cooperation of the Authorities, the Regulation introduces the Consistency Mechanism and defines the role of each Authority as the "lead supervisory" or "competent" or "concerned" Authority.
10. Disclosures, Interfaces, Transfers The Regulation abolishes the existing Disclosure and Issuance system for file interconnection or data transfer in third countries, but it creates new, corresponding obligations which organizations should be ready to comply with by May 2018. Such obligations are the recording of procedures, risk assessment, codes of practice, process certification and the introduction of data protection officers. Each organization should know which of these obligations are applicable to them.