The primary objective of the GDPR is to safeguard the European Union citizens from data breaches. This is particularly important since the world is increasingly becoming data-driven and the conditions are largely different from the the time that the 1995 directive was enacted. Although the fundamental tenets of the previous directive still hold, the new General Data Protection Regulation which is set to take effect in May 2018 brings several key changes. It introduces strict penalties, extends territorial applicability, strengthens consent, and affects data subjects in different ways.
Expanded Territorial Applicability
The GDPR law has an extended jurisdiction compared to the current directive. This is because it applies to every company that processes personal data of EU citizens irrespective of their business presence. This marks a difference from the current directive that only applies to businesses within the EU which handle or manage personal data of the citizens or those located outside of the EU but use equipment within the European Union to process data. The GDPR scope of applicability is clear. Consequently, companies that are bound by the regulations must strive to comply or face the legal consequences.
Direct Statutory Obligations on Data Processors
GDPR imposes direct legal obligations on data processors making them subject to direct enforcement by regulatory authorities, fines for non-compliance and damage compensation claims by data subjects due to breaches. This new practice deviates from the current arrangement where data controllers shift protection responsibilities and obligations to the data processors to avoid data protection compliance risk. The obligations that the new law directly imposes on the data processor include:
- Maintaining a record of processing activities executed on behalf of each data controller.
- Appointment of an EU representative if the company is located outside the bloc.
- Immediate notification of breaches to the controllers.
- Having a Data Protection Officer in certain circumstances.
- Obtaining controller’s written approval before subcontracting out data processing.
The General Data Protection Regulation makes data breach notification mandatory. This will apply to all EU members where a data breach is likely to jeopardize the rights and freedoms of an individual. The data processors are obligated under the regulation to inform their clients (who are mainly the controllers) of data breach upon realizing it without undue delay. The regulation requires the data controllers to make the data breach notification within 24 hours but not later than 72 hours to the relevant supervisory authorities. This is an improvement from the current privacy law that does not mandate EU members to impose data breach notification responsibilities. The data controllers have additional obligations in that they are also mandated to notify the data subjects affected by the breach.
Strengthened Data Subject Rights
1. Right to Access
The new European Union’s GDPR improves and clarifies the current regulations regarding the rights enjoyed by the data subjects. It also introduces additional rights that will ensure businesses do not exploit users’ data without their consent. GDPR introduces the right to access that guarantees the data subjects the freedom to confirm from the controller whether or not their personal data is being processed, where and the purpose for processing their data. The controller is obligated by the regulation to provide the data subject an electronic copy of personal data for free. This change from the current data protection law enhances data transparency and empowers the users.
2. Data Erasure
The right to be forgotten is enshrined in the General Data Protection Regulation. This right permits the users to ask the data controller to delete their personal information when they feel appropriate, stop dissemination and halt processing of their data by third parties. However, in doing so, the controller is required to assess the user’s right and compare it with the public interest in the data availability and make a determination. The requirement for data erasure according to the law is a withdrawal of consent or irrelevance of original purpose of data processing.
3. Data Portability
The new EU law introduces data portability which gives the users the right to obtain their personal data in a format that can be recognized by machines. It also gives them the right to transfer such information to another controller. This right strengthens the control of the data subjects over their personal information.
4. Breach Notification
Under the new regulation, breach notification is obligatory in circumstances where such breach is likely to risk the rights and freedoms of the people. GDPR requires that a notification be made before the expiry of 72 hours. The law puts the responsibilities to notify relevant entities on the data processors and controllers. The processors’ primary responsibility is to inform the controller of the data beach without undue delay. The controller then relays such information to the regulatory authorities as well as the data subjects immediately.
5. Children Consent and their Protection
GDPR takes cognizance of the fact that children cannot make informed decisions by themselves. Since children also deserve their personal data protection, the new EU GDPR limits children’s ability to approve data processing without parental endorsement. By default, the age for consent is 16 years although the regulation allows member countries to lower the age threshold to 13 years. In an online context where information society services are offered to a person below some specific age, verifiable parental consent is a must. Unlike the current directive, these key changes ensure that privacy and data protection are enhanced, and the likelihood of data breaches is significantly reduced for safety.