Recent changes to European personal data protection regulations have quite a lot of people worried. On May 25th of 2018… you will have to get everything organized or you might be risking big!
We all want to protect personal data responsibly, but we also want to focus on not being fined.
These days, everyone knows and understands the importance of protecting citizens from a wide variety of emerging threats. Not to mention, the fact that all of us individually and collectively need to contribute to the same cause.
For the most part, those who are interested in (or worried about) data protection focus more on the financial side of things than the actual protection of data as a whole. From a business perspective, any kind of data breach has the potential to result in huge fines and penalties.
Which is precisely why it is critically important for everyone to acknowledge the recent adjustments made to data protection regulations, in order to ensure their total compliance. We are entering an era where data breach immunity isn’t a realistic concept, but it’s still vital to ensure that all necessary preventative measures are put in place.
The New Digital Age
Over recent years, society as a whole has had no real option other than to adapt to both the rapid evolution and new forms of communication and relationships. Companies are struggling to keep up with the disrupters of the new era and to stay on top. There are new digital trends and new platforms emerging every single day. Consequently, the challenges faced by the vast majority of businesses in this new era are felt in several areas.
The rules of the game have changed, but due to the rapidity of this ongoing evolution, the framework required to cope has not yet adapted. Companies stick with their traditional and often rigid strategies, which are proving to be insufficient when faced with modern threats.
“Adaptability” is the new buzzword the world cannot afford to ignore – those who do risk falling behind, or perhaps even disappearing entirely.
The need to change data protection rules …
It’s because of such drastic advancement in the digital landscape of the 21st century that the European Union made the decision to implement sweeping changes. As the world becomes more dependent on digital data, it really only makes good sense to ensure that it is adequately protected.
Nevertheless, the fact that things are continuing to change on a daily basis makes the whole thing even more complicated. After all, how can you impose regulation and provide adequate protection, when you essentially have no idea what’s coming next?
Take piracy as an example. There was a time when movies were copied and sold without authorization, downloads were made every day and there was no provision in the law on how to act in these cases. In turn, pirates got away with their activities, no questions asked.
How did regulators address the problem?
First of all, it should be explained that piracy of audiovisual content is an economic crime, which consists of the illegal use of a work protected by copyright and related rights and, in the case of illegitimate reproduction of software, by the Criminality Law Computing.
In the eyes of the law, piracy is considered a crime of usurpation.
As it became clear that pirates were profiting at the growing expense of those who owned the copyright of the material in question, new regulations needed to be drafted. Which in turn led to the outright banning of piracy, along with aggressive efforts to bring those taking part in such activities to justice.
Still, every time the authorities take aim at the piracy community, new techniques emerge to make those involved more difficult or even impossible to catch. What’s more, technological advancements continue to make the policing of piracy all the more difficult, while at the same time making piracy as a whole so much easier for anyone to take part in.
Hence, the challenges associated with keeping up in the digital age.
Protection of Personal Data
One of the biggest advancements in technology over recent years has been the exponential development in the capacity for storage of and access to personal data. Suffice to say, if anyone could actually see just how much data is stored on them on a global basis, they would probably find it quite terrifying.
With such enormous volumes of personal and privileged data being stored on almost every human being worldwide, the necessity to protect this data quickly became apparent. Existing data protection laws simply did not come close to covering the needs of the 21st-century citizen living in the digital age.
As such, rules and regulations are now in place to govern those who collect and work with personal data. But it is nonetheless inevitable that things will have to take several significant steps forward, in order to keep up with the changing face of Data Storage and use.
As of now, businesses are required to adapt to the new legal framework, while citizens are being advised to familiarize themselves with their rights.
What is Personal Data Protection?
There are no two ways about it – attempting to understand the law can be boring and often very complicated. Fortunately, the regulations under review provide us with a few concrete terms and definitions, which make the whole thing much easier to understand and abide by.
Personal data
Information relating to an identified or identifiable natural person (“data subject”); An identifiable person is considered to be identifiable, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, identifiers by electronic means or to one or more specific elements of the identifier. The physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Personal Data Treatment
An operation or a set of operations carried out on personal data or on personal data sets by automated or non-automated means such as collection, registration, organization, structuring, conservation, adaptation or alteration, consultation, use, disclosure by transmission, dissemination or any other form of disclosure, comparison or interconnection, limitation, erasure or destruction.
Limitation of Data Treatment
The insertion of a mark in the personal data preserved with the aim of limiting its treatment in the future;
Customers’ Profile Definition
Any form of automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects of a natural person, in particular, to analyze or predict aspects related to professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or travel;
Pseudonymization
The processing of personal data in such a way that it can no longer be allocated to a specific data subject without the use of supplementary information, provided that such supplementary information is kept separately and subject to technical and organizational measures to ensure that personal data cannot be allocated to an identified or identifiable natural person;
“Consent” of the Data Subject
A free, specific, informed and the explicit manifestation of will by which the data subject accepts, by means of a declaration or an unequivocal positive act, that the personal data concerning him/her are processed;
Violation of Personal Data
A breach of security that causes, accidentally or unlawfully, the unauthorized destruction, loss, alteration, disclosure or access to personal data transmitted, stored or otherwise treated;
Genetic Data
Personal data relating to the inherited or acquired genetic characteristics of a natural person which gives unique information on the physiology or health of that natural person and which results in particular from an analysis of a biological sample from the natural person concerned;
Biometric Data:
Personal data resulting from a specific technical treatment relating to the physical, physiological or behavioural characteristics of a natural person enabling or confirming the unique identification of that natural person, in particular, facial or dactyloscopy data;
Health Data
Personal data relating to the physical or mental health of a natural person, including the provision of health services, which disclose information about his or her health;
The consequences of the old-fashioned approach
Most organizations abide by their own unique data protection policies, which may have remained unchanged for years or even decades. Whatever they do, they do it like this because they have always done it like this.
But the new amendments to data protection regulations require significant changes to procedures, in order to avoid potentially drastic consequences.
Failure to comply with the new data protection rules could result in huge fines of up to €20,000,000.
Thus, given the length of time that an institution likely needs to adapt to the new rules, the legislator has set a period of just a year for all firms to get on-board with the regulation.
By May 25, all institutions will have to adapt to the changes, without exception.
Which firms/institutions have to adapt?
The new amendments to the regulations apply to all entities dealing with personal data – those carrying out any kinds of transactions involving personal data. These entities may be those that determine the purposes and means of processing personal data, but also those that perform these operations on a subcontracting basis.
Geographically, the regulation applies throughout the territory of the European Union. However, Article 3 (1) provides for an exception: “This Regulation shall apply to the processing of personal data carried out in the context of the activities of an establishment of a controller or a subcontractor located within the territory of the Union, within or outside the Union.”
Roughly translated, failure to process personal data in the territory covered by the regulation does not imply that it is not applied, provided that the institution is located within it.
How to Avoid a Colossal Fine
- Accept the need to protect personal data more proactively.
- Follow the new data protection rules and everything will be fine.
- Look at the checklist we have prepared and start right now!
Even if institutions comply with the new standards with due diligence, an unintentional breach of personal data cannot be ruled out. As previously stated, outright immunity is not a realistic possibility.
It Happened to Me…Now What?
So when things go wrong, how should an institution proceed in such cases?
All violations of personal data must be fully documented, including the facts related to them, their effects and the solution adopted.
Check out a few examples of the most frequently asked questions on the subject:
What are the “new” data protection rights?
With the changes to data protection regulations, we see the emergence of new rights that citizens can now “claim” at their discretion.
The right to be Forgotten
This new regulation covers the right to erase data (“right to be forgotten”), meaning that the subject has the right to obtain from the controller the erasure of his or her personal data without undue delay.
The Right to Data Portability
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. The subject may freely transfer, copy and move their personal information between IT systems in a secure, safe and convenient manner.
Right of Rectification
The data holder has the right to obtain from the controller the rectification (correction) of inaccurate personal data concerning him or her. In respect to the purpose of the data processing, the data subject is entitled to have their incomplete personal data completed, including by means of an additional declaration if necessary.
Potential punishment…
It is hard not to feel a certain sense of dread when you read the provisions of Article 83 of the Regulation, which concern the application of fines.
Let’s take a look at a few key specifics:
Infringement of the obligations of the controller and the subcontractor and breach of the obligations of the supervisory body shall be subject to administrative fines of up to EUR 10,000,000 or, in the case of an undertaking, up to 2% of its corresponding annual worldwide turnover to the previous financial year, whichever is the higher:
However, the highest fines are reserved for those who violate the following provisions:
- The basic principles of treatment, including the conditions of consent;
- The rights of data subjects;
- The transfer of personal data to a recipient in a third country or an international organization;
- Obligations under the law of the Member State adopted under Chapter IX;
- Failure to comply with a temporary or definitive restraining order concerning the processing or suspension of data flows issued by the supervisory authority or failure to provide access;
In such cases, infringement of the provisions shall be subject to administrative fines of up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of its annual worldwide turnover for the preceding financial year, whichever is the higher:
In summary: how can your company/agency comply with these necessary changes to personal data protection regulation, in order to avoid these fines?
- Take a few minutes to study the subject in the necessary detail.
- Introduce/adapt your employees and the technologies of your institution to the new regulations.
- Be aware of any violations and report them in a timely manner.
- Appoint a dedicated Data Protection Officer to review your personal data protection processes and security.
We hope that this article about the new European regulations on personal data protection coming on in May 2018 will help you to get your organization ready and to avoid to get a fine!
If you need more information or would like to share your opinion with us, don’t hesitate to get in touch!