Key aspect of GDPR

I/ Introduction : a brief history of GPDR

Over the past 25 years, technology has transformed our lives in ways no one could have imagined, so a review of the rules was necessary. In 2016, the EU adopted the General Data Protection Regulation (GDPR), one of its biggest achievements in recent years. It replaces the 1995 Data Protection Directive, which was adopted at a time when the internet was in its infancy, before smartphones, search engines and social media even existed. The GDPR is now recognized as law throughout the EU.

II/ Key element of GPDR

1. Rights of Individuals

There has been a desire to strengthen the rights of data subjects under the GDPR. To this end, there are a number of new rights for data subjects (e.g., the Right to erasure or the Right to be forgotten) or enhanced rights (e.g., the Right to be informed). Two of these rights, the Right to be forgotten and the right to be informed, are explained in more detail below.

2. Right to be Informed

Companies must ensure that individuals understand who the data controller is that collects their personal data and the purposes for which they collect it. Organizations’ privacy policies will need to be updated in accordance with GDPR requirements. The GDPR’s new accountability principle means that the responsibility for demonstrating compliance with the GDPR’s data protection principles will increase for data controller companies.

3. Right to Erasure (“Right to be Forgotten”)

A Right to Erasure has now been set out clearly in the GDPR which will allow individuals a qualified right to request that their data be erased, provided certain grounds apply. For example, the data is no longer necessary in relation to the purposes for which it was collected. Where relevant, businesses will have an obligation to erase the relevant personal data it holds concerning that individual within a maximum of one month of the receipt of the request.

4. Data Protection Officer (DPO)

Businesses will be required to appoint a DPO to help them comply with all of their obligations under GDPR. This is a designated role with tasks set out in the GDPR, including responsibility for monitoring compliance with the GDPR. It’s needed whether the organisation is acting as a processor or a controller where processing operations require regular or systematic monitoring of people on a large scale.

5. Obligations on data processors

Under the Data Protection Act 1998 the statutory obligations only apply to data controllers. However, under the GDPR, data processors will also have obligations. For example, the processor will have a responsibility for implementing appropriate technical and organisational measures for the security of personal data during its processing activities. Processors will be legally accountable for compliance beyond any contract terms, but reputable data processors will already have many measures in place to demonstrate compliance.

6. Data Protection Impact Assessment and data breach response

Businesses will need to carry out a Data Protection Impact Assessment where the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals. GDPR includes a requirement for controllers to report a personal data breach to its data protection supervisory authority (the Information Commissioners Office (ICO) in the UK) without undue delay and where feasible, within 72 hours unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Where the breach is likely to result in high risk to those rights and freedoms, the data controller will also need to communicate the breach to impacted individuals without excessive delay.