The General Data Protection Regulation (GDPR) comes into play in Malta and among EU states on the 25th April 2018. The new regulations are reported as the biggest shakeup in data protection for two decades. GDPR will replace the existing Data Protection Directive 95/46/EC and closes many of its predecessor’s ambiguities.
Businesses within the EU zone or businesses and organisations that want to trade or hold data on businesses and customers within the EU zone need to be fully compliant with GDPR by 25th May 2018 or face heavy non-compliant penalties. The new regulations apply to both “controllers” and “processors” of user data.
There are three main areas of data protection that are strengthened by GDPR. They are:
Currently, it is possible for a company or organisation to circumnavigate the Data Protection Directive 95/46/EC if they are based outside of the European Union. This has resulted in high profile legal cases to prevent the movement of data overseas. Under the current legislation, the cases have not always been successful.
GDPR makes it implicitly clear that no matter where in the world an organisation is based it has to comply with the regulations if it holds data on EU citizens or organisations or wants to trade with any citizen or organisation within the EU zone. This includes British firms following Brexit.
Britain is currently in the process of implementing its own version of GDPR which is very close to the EU directive and will come into play around the same time as GDPR.
Expanded Data Scrutiny
Companies of all sizes will need to show how they store and use data. They will also have to report data breaches to their country’s regulatory body within 72 hours. They will need to have documentation and policies stating how data is used and stored. This can include but not limited to:
- Data Impact Assessments
- Disaster Recovery Plans
- Data use including who can access it, history, and how it is used by the company
- Companies that have over 250 employees will need to show why the data is being held, how it is used, and how long it is held for. They will need to show what security measures are in place to protect the data.
If a company adopts a “regular and systematic monitoring” of user data or possesses a lot of it, it has to appoint a Data Protection Officer (DPO). This officer will need clear responsibilities and report to senior boardroom members.
Companies will also have to show that they have been given clear consent by the user for some of the data they collect and that the user gave a “positive – opt-in”.
Expanded User Rights
User data rights are extended under GDPR. Users no longer have to pay the £10 Subject Access Charge to obtain their data from an organisation and can request data free of charge. Businesses and organisation have to provide the information within one month or face penalties. They also have to explain decisions they made in relation in to the user’s data.
Users will be able to withdraw consent to use their data. A user can also request to “be forgotten” if their data is no longer necessary for the purpose it was collected, there’s no longer a legitimate interest, and if it was unlawfully processed.
The fines for non – compliance of GDPR are significant. For serious infringements, it can reach £20 million or 4% of annual turnover for a business, Whichever is the greater.