The General Data Protection Regulations – an upcoming revolution of data protection rules


What is it?
The General Data Protection Regulation, aka GDPR, is a new regulation enacted by the EU on April 2016 and which is going to be in force within 4 months (May 2018). It is considered to be one of the most revolutionary law revisions. This is because it is going to influence the entire regime of privacy data protection laws and to impose onerous requirements upon the holders and processors of such data.
In this article we will review the salient sections in the GDPR and discuss their implications.

The main aim of the GDPR is to strengthen and unify data protection rules so that subjects (the people upon whom the information is related or collected) will have much more control over their personal data.

The GDPR will apply on both the holder of the data (known as the “Controller”), the processor of the data (ie, cloud service providers) if the data relates to individuals who reside in the EU (including Switzerland, Norway etc.).

This means that even if the controller/processor are based outside of the EU but the data they hold relates to EU residents then they will be subject to the GDPR.

Why is it so dramatic?
GDPR replaces regulations which are more than 20 year of age.
There are many conceptual changes and new obligations to which businesses can be subject to and which are new.

Here are some examples:

  1. There is a wider definition as to what is considered as “personal data”

The fast pace of technological developments is reflected in the wider definition of personal data under GDPR. This includes any data which is personal by its nature (such as name and address etc) but also location data, identifiers and any genetic data, biometric data (ie facial recognition and fingerprinting).

  1. There new obligations regarding additional information which is not private per se

Not only personal data must be protected but also  pseudonymous (ie, encryption of data like in the case of whatsApp).

  1. Consent must be unequivocal, no over complicated privacy policy
  2. Automated decision making and profiling – any organizations who use automated decision making technology will be required in certain circumstances to make sure that human control is be involved.

 What are the practical changes?

These can be divided into 2: Rights of the subjects and obligations on the businesses (controllers / processors).

As regards to subjects, they now have much more control regarding the Data collected. These include:

  • Right of access to the data including the right of information as to how it is being collected;
  • Right to be forgotten / erasure – right to withdraw of consent. This also includes subjects’ right to ask that any details relating to them will be deleted completely.
  • Right of compensation – subjects will have a right to be compensated even if no material damage has resulted to their privacy;
  • Right of data portability – subjects are entitled to receive all data held in relation to them in a structured and simple way.

So what are my obligations from now on?

  • You must make sure that you comply with the new demands and that you have full consent;
  • You will probably need to revise your data policies by May 2018;
  • You might need to appoint a Data Protection Officer;
  • From May 2018, you must hold records and submit documentation to prove compliance.
  • You must be proactive and engage directly subjects upon whom you hold and process information;
  • You can be liable and subject to fines of up to 4% of your turnover PA

So what do I need to do?

Given that there is less than 6 months before the deadline for compliance, organizations absolutely must begin preparing immediately. There are several areas that are high priorities for action.

For more information please contact Porat Group with your specific questions.