In January 2012, the European Commission proposed a comprehensive reform of data protection within the European Union framework. Over 4 years in the making, the European Union General Data Protection Regulation (in short referred to as GDPR) was finally approved on 14th April 2016 and published in the European Union Official Journal on 4th May 2016. The Regulation shall repeal as well as replace the present Data Protection Directive 95/46/EC and all the national laws implementing it. Indeed the GDPR presents the most ambitious and comprehensive changes to data protection rules since the 20 year old Directive.
The GDPR shall remove the fragmented system that is currently in place with respect data protection, and it shall establish a single law that regulates all data protection matters which law shall apply directly throughout the European Union territory including Malta. EU citizens shall see their fundamental rights being strengthened through the introduction of new rules.
The GDPR shall introduce wide-ranging changes which require appropriate understanding, acceptance, preparation and implementation across the whole European Union territory and in all organisations that shall be subject to the Regulation.
Indeed, the GDPR shall expand its territorial scope in order to capture organisations that are not established inside the European Union. This shall only occur if two conditions are met; if the organisations offer goods or services to data subjects in the European Union or if the organisations monitor the behaviour of data subjects in the European Union. Thus the new data protection law shall start to apply to many organisations regardless of where they are established or where the processing actually occurs.
Organisations shall see their accountability being increased – they are obliged to inform the data subjects of their data protection rights whereby a thorough explanation needs to be provided on how the personal data is being used, for what purposes as well as specifying the retention period of the said data. Organisations have the responsibility to maintain registers of their processing activities, create internal inventories and have all the required internal policies to cover the protection of personal data.
Where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons, one needs to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data prior to the stirring of the processing which is commonly referred to as the Data Protection Impact Assessment (in short referred to as DPIA).
The Regulation has also introduced a new office, that of the Data Protection Officer which needs to be appointed if certain specific criteria are met. Thus not all organisations are bound to have a Data Protection Officer. The latter shall be designated on the basis of professional qualities and in particular expert knowledge of data protection law and practices and the ability to fulfil the tasks specifically mentioned in the GDPR amongst which there is the duty to cooperate with the supervisory authority, to provide advise where requested as regards the data protection impact assessment and monitor its performance as well as to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to the Regulation and to other Union or Member State data protection provisions.
Additionally, the GDPR brings with it stricter data breach reporting. If a data breach occurs, it must be reported to the Supervisory Authority of that particular Member State without undue delay, and, where feasible, not later than 72 hours after having become aware of it. If the data breach is of a serious nature, than the data subject needs to be informed as well. In this respect, it is worth highlighting that each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of the GDPR, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union. In case of Malta, the Supervisory Authority is the Information Data Protection Commissioner (in short referred to as IDPC) whilst the Information Commissioner’s Office (in short referred to as ICO) is the Supervisory Authority of the United Kingdom.
In this regards, since the Brexit is still not in place, UK organisations still need to abide by the GDPR. It is quite a blurry situation what would happen after the Brexit kicks in. However as previously mentioned, the territorial scope of the GDPR has expanded to also embrace organisations that are not established in the EU. Thus, if an organisation established in the UK, offers good or services to data subjects residing in the EU or monitors the behaviour of data subjects in the EU, then that organisation still needs to be GDPR compliant even after the Brexit happens.
Moreover, a further change brought about through the GDPR, is with respect the consent given by the data subjects. Indeed, this requirement shall be more stringent whereby the consent has to be given either by a statement or by a clear affirmative action that confirms the consent given. Furthermore, the consent must be given for a specific purpose and it can be retracted at any time. Nevertheless, the largest shift marked by the GDPR is that individuals shall benefit from greatly enhanced rights such as the right to object to automated processing as well as requesting the deletion of unnecessary personal data. The data subjects shall have the right to receive a copy of their personal data in a commonly used machine-readable format and transfer their personal data from one controller to another. A data subject has also the right of access to the information that is being processed with respect his/her person.
The GDPR started applying directly in all European Union Member States as from 25th May 2018. Non-compliance with the GDPR gives rise to significant penalties – for a minor breach a company can be sanctioned to up to ten million Euro or 2% of the annual global turnover whilst for a major breach it can be sanctioned up to twenty million Euro or 4% of the annual global turnover, whichever is higher. Hence, the media coverage a company would get through such a finding could cause significant damage to a brand.