The New General Data Protection Regulation


 The new General Data Protection Regulation (GDPR), effective as of 25 May 2018, is set to achieve the ambitious goal to provide a comprehensive and unified EU legal framework on processing of personal data. The GDPR is further set to facilitate the free flow of personal data within the Union and to third countries, while ensuring a high level of protection of personal data and proper control tools accessible to the data subjects.

The fundamental novelties include:

·         Increased responsibilities of data processors (along with data controllers);

·         Applicability to data controllers and processors who are not established in the EU member-states but process personal data of EU data subjects;

·         New obligations for data controllers and data processors in relation with, inter alia, data subject consent, breach notification, appointment of a Data Protection Officer, mandatory impact assessment; required accountability (the data controller must “demonstrate compliance” with the new data protection rules at any time);

·         A number of new rights of the data subjects, including “right to be forgotten”, data portability, right to restrict processing; explicit consent to “profiling”;

·         New provisions regarding cross-border transfers to third countries, including explicit regulation of Binding Corporate Rules;

·         Significant increase in the amount of penalties for breach of the new rules, reaching up to 10 mln. EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher;

·         Data controllers and data processors may be engaged in litigation in various countries and are subject of supervision by any EU Data Protection Authorities (depending on the particular situation);

·         Special protection and increased security requirements regarding children;

·         No mandatory registration as a personal data controller after 25 May 2018.

 Do these novelties affect my organisation?

The novelties discussed would affect your operations if:

·         You are a data controller located in any country within the EU or outside the Union but processing personal data of individuals who are based in the EU;

·         You are a data processor (i.e. you provide services to other companies where provision of the services requires processing of personal data, provided by the data controller) – the rules apply to your organisation if it is located within the EU or outside the EU where the data being processed belong to EU based individuals;

·         You are exchanging personal data of EU based individuals with data controllers/processors worldwide.

What needs to be done?

·         Review and revise the data protection policies of your organisation to ensure compliance with the new data protection principles and rules;

·         Review and revise the information notices and informed consent forms used by your organisation when collecting or transferring personal data;

·         Identify and ensure means to “demonstrate compliance” with the GDPR – proper documenting of data processing related decisions; privacy impact assessments etc.;

·         You may consider training of your employees on new data protection principles and requirements to ensure compliance with the data governance measures;

·         Develop breach notification procedures;

·         Consider adopting Binding Corporate Rules, if you are a part of a multinational group of companies with members outside the EU;

·         Consider whether your organisation is obliged to appoint a Data Protection Officer and if it is – start selection procedures.

Need to talk about privacy compliance - let’s meet in private!

If you want to know more on the matters above, you are more than welcome to contact us. We will not invite you to any sort of public speaking events on the matters, though. We would rather discuss privacy requirements in a private free of charge meeting (up to 2 hours), where we will be happy to provide a tailored training on the steps you need to take to bring your organisation in full compliance with the applicable regulations.

We will be happy to see you and discuss your concerns in the professional atmosphere of our law office!