News

New EU Data Protection Regime

With the advent of the new General Data Protection Regulation (“the Regulation”), which will be directly applicable in all EU Member States including Malta, from May 2018, businesses need to gear up for a paradigm shift in the way they collect and use personal data.

Data Protection Update

The new reality can be spelled out to include the following matters:

(1) Fines of up to 4% of annual global turnover for breaches of the rules.

(2) Consent: the new standard will be that of freely given, specific, informed and “unambiguous” consent. ‎

(3) Breach notification: data breaches are to be notified to the regulator for all organisations “without undue delay”.

(4) Profiling and children’s data: tougher restrictions on the use of profiling and the collection and use of data on persons under 16 years of age.

(5) Supply chain: joint and several liability for suppliers (data processors).

(6) Data Protection Officers (DPOs): a requirement for public sector and private sector organisations engaged in large scale, systematic monitoring, to appoint a DPO; Member States have the additional flexibility of being able to impose stricter DPO requirements.

(7) ‎New concepts of data protection by design by default in any new products with more exacting requirements for organisations to ensure privacy by design by default and to document their compliance with the new regime.

(8) New establishment rules for controllers.

(9) Data portability, with new rights for data subjects and obligations for businesses.

(10) Data protection impact assessment for high risk processing.

(11) Introduction of data protection seals and certification which can be useful to mitigate risks.

So What’s Next?

The following are some useful steps to consider:

  • Business entities that had not previously regarded non-compliance with EU Data Protection legislation as a serious risk will obviously be forced to re-evaluate their position in light of the substantial new fines, increased DPA enforcement powers and grounds for seeking judicial remedies under the Regulation.
  • Based on the existing regime, businesses should:
  • Review their existing compliance programs and amplify them to cater for the coming into force of the Regulation.
  • Ensure that they have clear records of all their data processing activities.
  • Record data processing activities and consider undertaking an information audit.
  • Carefully consider whether they have a lawful processing condition for all data processing activities and document what personal data is stored, where it came from and with whom it is shared as well as the legal basis for carrying out such processing.
  • Where no processing condition applies, determine whether: (i) another processing condition might be available (e.g. by obtaining consent from affected data subjects); or (ii) that processing activity should effectively
  • Review all processing activity, consents, data access requests etc. with regards to their employees.
  • Update existing procedures to address access requests and plan how individuals’ access requests will be handled within the new time limits imposed by the Regulation.
  • Review how consent is sought, collected and recorded, and ensure that procedures comply with the new requirements of the Regulation.
  • Review all data flows, and consider whether appropriate data transfer mechanisms are in place. Close coordination with the DPA is recommended particularly in light of the applicability or otherwise of Privacy Shield in case of transfers to the United States.
  • Plan for data portability, as now apart from right of access, since data subjects will not only have right of access but also the right to port out that data.
  • Inform key persons and decision makers about the upcoming changes in order to assess the consequences of the Regulation on the company and its administration.
  • Review existing privacy notices and update them to comply with the Regulation.
  • Review current procedures to comply with individuals’ rights, including any procedures to delete or transfer personal data electronically.
  • Develop mechanisms to verify the ages of individuals and gather parental or legal guardian consent for processing activities that involve children’s data.
  • Ensure appropriate procedures are in place to detect, investigate and report data breaches.
  • Become familiar with the concepts of Data Protection by Design and the Data Protection Impact Assessment, and determine how to implement them within the organisation.
  • Appoint a DPO, if required, or an individual to take responsibility for data protection compliance, and review this position within the organization’s structure and governance arrangements.
  • Review existing contracts, which involve processing activities qua controllers, processors or both, and make the necessary changes to comply with the Regulation.‎

Discussions with the DPA to obtain clarity on procedures are recommended, since at present there are no applicable criteria in place on what procedures to be followed. This is important as apart from compliance, business entities will also need to revisit their application protocols, train staff accordingly and also add and implement new processes.

Under the Regulation, businesses are legally required to take due care of the notion of data protection by design and:

  • take data protection requirements into account for any new technology, product or service that involves the processing of personal data; and
  • conduct data protection audits where appropriate.

These steps will need to be planned into future product processes as well as operational cycles.

Profiling without consent is not allowed under the Regulation. If businesses regularly engage in profiling activities (e.g. social media), they will need to consider how best to implement appropriate consent mechanisms in order to continue these activities.

It is imperative that the Data Breach Response Plan is updated (including designating specific roles and responsibilities, training employees, and preparing template notifications) to enable them to react promptly in the event of a data

Security measures will also need to be re-assessed to ensure that data breaches can be detected and managed

Businesses should also consider implementing measures to ensure that any data minimization is in place as well using pseudonymisation and encryption, ideally using FIPS 140-2.

For more information or if you have any questions, please feel free to contact Dr Ian Gauci on igauci@gtgadvocates.com

Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.