For many Belgian companies, 2017 will stand under the sign of ´data privacy´. At least, that should be the case, because everything’s going to change in May 2018, when the General Data Protection Regulation (GDPR) will enter into force throughout the EU. This new legislation will have a major impact, and companies would do well to already put their affairs in order this year. In this blog post we summarise for you the essential points of the GDPR.
Why new data protection legislation?
Until now there has only been a data protection directive on the European level, but no real legislation. That directive is over 20 years old and it provided no real answers to the new challenges for data protection that are posed by a globalised and digitised market of e-commerce, social media and mobile internet. Up to now, each EU Member State had its own regulations and supervisory bodies. In most cases abuses went unpunished.
With the GDPR, the European Commission wishes to modernise, standardise and simplify the law on personal data protection for all EU countries. The goals are to strengthen the privacy of EU citizens, to better protect their personal data and to ensure that companies take the necessary steps for doing so.
What is the GDPR?
Where the existing European law on data protection was only a directive, the GDPR is a regulation that applies in each Member State. Each Member State also sets up its own authority which investigates complaints and sanctions violations. Moreover, heavy fines are provided for offenders. The GDPR actually entered into force back on 24 May 2016. In Belgium, however, the Privacy Commission, companies and organisations received a 2-year window, until 25 May 2018, to bring themselves into conformity with the law’s new requirements.
What personal data are involved?
The GDPR concerns the protection of personal data. Concretely this means any form of information that directly or indirectly can be linked to an individual and relates to his personal, professional or public life. Thus it can be a name, an e-mail address, a photo, medical, financial or commercial data. But mechanical data such as an IP address, location data, transactions or web server logs can also constitute ‘personal data’.
To whom and where does the law apply?
The legislation applies to all organisations – whether established in the EU or outside it – which control (data controllers) or process (data processors) the personal data of EU nationals (data subjects). The same rules and laws apply for all organisations. A data controller is a person who (or organisation which) defines the objective of and the methods used for the data processing. Every company that possesses personal data, for example, is a data controller. A data processor is an external service provider that does the processing at the controller’s behest (for example, a social secretariat that handles payment of the salaries for a company).
What are the law´s most important innovations and points of attention?
More rights for citizens
A first important element is the right to be ´deleted´. This entails that citizens may demand that their personal data no longer be processed, thus e.g. that they be removed from a database. A second new aspect is the right of transferability. Everyone will be entitled to transfer personal data from one system to another. The data controller must furnish the data for this in a structured, commonly used and electronic form.
Privacy by design & default
‘Privacy by Design and by Default’ means that data protection is ´baked in´ as it were into the very design of business processes. Privacy-related settings must be strict by default. Organisations have to be able to demonstrate that they took the proper technical and operational measures in order to adequately protect the personal data that they store/process, and this depending on the risk. Think here of access control, anonymisation and pseudonymisation, encryption, risk analyses, and so on.
Under the GDPR, companies will be obliged to immediately inform the competent local authority of data breaches that might cause harm to the persons involved. In some cases the company must even directly notify the persons involved, for example if the data breach can lead to personal financial losses.
Data Privacy Officer
Within the GDPR framework, some organisations will have to appoint a Data Privacy Officer, who must ensure that the principles of data protection are being complied with in the organisation. He or she must also have the necessary knowledge, cooperation and authority in order to fulfil this task.
Besides harming their own image, companies and organisations that fail to comply with the rules run the risk of having to pay substantial fines. For example, the GDPR provides for a maximum penalty of 20 million euros or four percent of the worldwide turnover – whichever is highest – for breaches as a result of which the rights of individuals are violated.
Time for action
May 2018 may seem far off right now, but many companies still have a lot of work to do to bring themselves into compliance with the GDPR – not least in the domain of IT, the engine that houses and processes personal data. So in fact it´s high time to get started on the necessary preparations.
A good first step is to map out the types of data that your company receives, processes or deals with and perform an initial risk analysis on them (with an IT security audit). Call on the assistance of specialists in the subject who master IT, business and the new data privacy legislation and preferably possess the necessary certification.
You can find more information about the GDPR here as well as the step-by-step plan (in Dutch) offered by the Belgian Privacy Commission.