Regulations aim at strengthening the universal right to personal data protection as a fundamental right as well as to allow European citizens a tighter control over the same.
On 25 May 2016, the new (EU) 2016/679 regulation of the European Parliament and of the European Council of 27 April 2016 on the protection of individuals in terms of processing and free circulation of personal data came into force, the 95/46/CE Directive being derogated.
Contrary to other Directives, this Regulation is to be applied directly in all Europe, the member States of the EU not having to incorporate it to their home legislations. Owing to the standing of the new rules and rights regulated by this new regulation, it shall not be applicable in every state until 25 May 2018, as States, public administrations and business need a long period to adapt. The 95/46/EC shall be derogated on that same date.
This regulation aims at strengthening the universal right to personal data protection, as a fundamental right, as well as to allow European citizens a better control over the same. Furthermore, businesses shall be able to take full advantage of all opportunities of a single European market.
Main changes in the new regulation to be taken into account by businesses in their security and data protection policies:
First, this rule includes wider duty of information prior to processing data. Also, the application for consent, as legal basis for the data processing, shall be clearer and more rigorous. Implicit or consent by default shall not be permitted. Business must then review their consent application processes so as to verify that they adjust to the new regulation.
This regulation, in addition to acknowledging the rights of Access, Rectification, Cancellation and Opposition, regulates new rights such as “right to beforgotten”. Citizens have now the right to require companies that their data is removed in certain circumstances, for example, when their data is no longer useful for the purposes they were recorded. Also, the “right to portability” of data, whereby organizations processing data automatically shall provide applicants a copy of their data in the desired format so as to ease portability. Citizens may request, if possible, that the company transfers data to the other manager directly. Third, right to limitations, which is the power of the applicants to apply for and obtain a limitation to their personal data processing from the processing manager.
Furthermore, businesses shall prepare assessment reports on the impact on data protection when they design a new product or service. The said analysis may be required in order to identify potential processing risks. Also, the new regulation requires businesses to notify authorities of the data leaks within 72 hours as of the leak. In the event of significant damage for citizens, they shall be notified.
Another important change for companies processing a large amount of personal data or whose main activity is processing data is that they should include data protection officers (DPO).
The regulation includes the so-called `one stop shop´, i.e., in the event that a company has headquarters in different EU countries, it shall answer to the data protection authority of the country where the main headquarters is located. The said authority shall act as one stop shop for all activities carried out in different countries. New restrictions come into force for the data transfer to non-EU countries and those are limited to countries offering adequate data protection. Last, the new rule increases penalties for breach of up to 20 million EURO or 4% of a company´s revenue.
To sum up, the General Regulation on Data Protection (GDPR) in order to guarantee the universal right to personal data protection sets guidelines and clear orders in some respects, leaving other to the internal management of organisations. Companies must include all personal data management processes within the general processes of the organisation: analysis and risk management, impact analysis, etc.