Significant advancements in the field of information and communication have radically increased the ease with which data may be collected, transmitted, stored, manipulated and, most importantly, disseminated. These developments, together with a general increase in awareness of fundamental rights, particularly the right to privacy, have led to legislative changes and the emergence of a new regime of privacy protection.
Overview of the General Data Protection Regulation (GDPR)
The most significant development in this area that affects organisations, regardless of the sector, is the General Regulation of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, (). It examines the nature and scope of the regime and the rights of data subjects. It also provides information on the obligations of controllers and processors and summarises the restrictions on the transfer of personal data outside the EU.
The GDPR replaced the Data Protection Directive on 25 May 2018. The reform was intended to respond to new technological challenges and to put in place a harmonised framework for the protection of personal data.
The GDPR will apply to an organisation if it:
- alone or with others determines the purposes for processing personal data relating to living individuals (known as acting as a data controller) or processes personal data relating to living individuals strictly in accordance with the instructions of another (known as acting as a data processor); and
- is ‘established’ in the EU, meaning that the business exercises real and effective activity through stable arrangements in the EU – including through a branch or subsidiary.
Assuming the organisation was subject to the previous legal regime in this area or compliance, and so will also be subject to GDPR, the key changes in the GDPR include:
- Governance – organisations have increased responsibility and accountability on how they control and process personal data.
- Consent – a more active consent-based model is introduced by GDPR. Wherever consent is required for data to be processed, it is defined as ‘freely given, specific, informed and unambiguous’. In other words, consent must be explicit, rather than implied.
- Transparency – organisations have increased transparency obligations.
- Data processors – organisations processing data on behalf of other companies are required to comply with a number of specific data protection related obligations.
- Security – there is no definitive standard to adhere to when it comes to data security. Rather, GDPR requires controllers and processors to evaluate risks involved with their processing activities and implement appropriate measures to prevent loss and unauthorised access to data, such as pseudonymisation, encryption or restricted access.
- Enforcement – stronger enforcement means non-compliance could lead to much heavier, turnover-based sanctions. For the most serious breaches, the sanctions available are a fine of €20,000,000 or up to 4% of total worldwide annual turnover.
Data Protection Principles
There are seven Data Protection Principles that underpin the new law:
Lawfulness requires a data controller to satisfy at least one ‘processing condition’ when processing personal data. These include explicit consent, necessity for performance of a contract with the data subject, necessity for compliance with a legal obligation to which the controller is subject, or necessity for the pur