November 15, 2016 | Jon Hautamäki
The new EU General Data Protection Regulation
The new EU General Data Protection Regulation (GDPR), which was adopted on the 27th of April 2016, will come into effect on the 25th of May 2018.
For some time now, the increased significance of personal data in today’s business-environment has created pressure for the EU to harmonize the use, handling and processing of personal data within the Union. In the GDPR, the protection of natural persons personal data is considered a fundamental right. The GDPR will be mandatory legislation throughout the EU and will require very little enabling legislation to be passed by governments and will also apply in situations where personal data is being processed outside the EU. In the GDPR, personal data is defined very broadly and the definition holds within all the information related to an identified or identifiable natural person.
General remarks
The GDPR is clearly an addition to the already existing regulations on personal data processing. It improves considerably the privacy of natural persons but at the same time significantly increases the duties of the registrar collecting, handling or processing the data. The registrars are obligated, inter alia, to report intrusions and other security incidents within 72 hours to the competent national authority, to appoint a separate Data Protection Officer in certain circumstances and to ensure that the personal data registry has its own built-in data protection system.
Children are considered to be a special group in the GDPR. When based on consent, the data processing of a minor younger than 16 years of age requires the guardian’s authorization or consent. This creates its own legal risks because a minor using e.g. their parent’s computer is nearly impossible to separate from the owner of the computer and thereby the identity of the minor may remain an open ended question.
The GDPR imposes the registrar with the so-called accountability principle. It means that the registrar needs to be able to actively demonstrate that it has taken into consideration and implemented the applicable data protection regulations in its operations and designs. The burden of proof for the proper fulfillment of all the obligations specified in the GDRP is on the registrar. If the registrar fails to prove that proper procedures were followed, the registrar can encounter an administrative fine of up to 20 million euros.
It is also necessary to notice that personal data itself is defined in a very broad manner. When taken into consideration the annual publication of people’s income tax information by the Finnish media, the GDPR may in the future prohibit the media from publishing one’s income tax information in the same detailed way as previous years. However, it should to be noticed that the Finnish Data Protection Ombudsman Reijo Aarnio has disputed the aforementioned interpretation, whereby it remains to be seen whether the GDPR will affect the publication of income tax information in the future.
All in all, the GDPR and the national legislation following the regulation is very essential to get familiar with. As the national legislator is given some freedom of action to implement the regulations of the GDPR within the nation, the exact details of the future legislation are still unclear.
A short and sweet checklist for companies
As previously mentioned, the upcoming GDPR will have varying effect. In this situation, how should companies handling personal data in their business operations prepare for future changes? Below we have identified certain key areas that should currently be taken into consideration:
1) Companies should emphatically take notice of the fact that the GDPR will heavily add more regulation to the legislation regarding the use of natural persons personal data, whereby companies handling personal data in their business operations should as soon as possible start with evaluating the current state of their privacy policies and risks related to it. If any shortcomings are found, they should be mended immediately.
2) If a company operates in the public sector or its business is heavily involved with large scale and systematic tracking of people or large scale processing of sensitive personal data, it has to appoint a Data Protection Officer. Other companies affiliated with processing of personal data should also appoint a person in charge of appropriate procedures. This is to assure that processing of personal data is always done properly.
3) If a company is processing personal data of minors under the age of 16, it should emphatically be taken into consideration on the practicalities of data handling.
4) A company processing personal data is also obligated to announce intrusions and other security incidents within 72 hours to the competent national authority.
5) If a company has made an agreement with an outside service provider regarding the processing of personal data and the service provider has access to said data, the provisions in the relevant agreement have to be reviewed and it needs to be ensured that the agreement is in line with the new regulations set by the GDRP. This might become an issue e.g. when the company has outsourced its payroll administration.
If the above checklist has awakened interest in your company’s data protection issues and the current state of affairs, please do not hesitate to contact us. We are more than happy to sit down with you and plan ahead for the upcoming GDPR and its impact your company’s daily business operations.
15.11.2016 JON