The new GDPR regime clarifies the existing legal framework. Adopted by the European Parliament in April 2016, it comes into force on May 25th, 2018 throughout the EU.
The baseline is, the GDPR is mandatory in its entirety and directly applicable in any member state of the EU. In addition, its applications are “extra-territorial”: all companies established outside the EU and processing data related to the activities of European organisation or companies targeting EU residents must comply with them.
Many observers believe that the EU’s major partners will soon be forced to move closer to it, for a variety of good reasons. In case of infringement, the regulator may impose penalties of up to 2% of global turnover or 10 million euros for non-compliance and fines of up to 4% of turnover or 20 million euros for data breaches.
There is now only one set of rules relating to the protection of personal data, a set that prevails over all previous laws and provisions.
The regulation explicitly concerns “the protection of individuals with regard to the processing of personal data and the free movement of such data.”
It is also a question of “sensitive data”: these are particularly those “relating to the state of health of individuals, their state of fragility, or even personal data relating to offences and convictions”.
In practice, the GDPR imposes unavoidable measures, in particular:
1. The “Explicit and Positive Consent” Of the Interested Parties:
The agreement must be obtained clearly and not by default, by the companies or organisations exploiting such data.
2. The “Right to Erase”:
It replaces the “right to be forgotten” and can be invoked for 6 reasons. The purge of the files must be executed “as soon as possible”.
3. The “Right to Portability of Personal Data”:
Anyone can require a data controller to receive the file of his personal data “in a structured, commonly used and machine-readable format”. Each must be able to transmit them to another controller, or obtain, if technically possible, the transmission to be done directly.
Any person may refuse to be the subject of a decision based on automated processing, including “profiling”, having legal effects or affecting it in fact.
5. “Privacy by Design” Data Protection and a “Default Security” Devices:
The data controller must take preventive measures to protect personal data as soon as the products and services are designed; plus, the supporting system must be secure.
6. “The Notification In Case Of Data Leakage, Theft, or Data Breach”:
The holder of personal data must notify, “as soon as possible” and within a maximum of 72 hours. The measure does not apply if it is established that the data are encrypted, deemed inviolable, and is subject to an exception for organisations with less than 250 employees.
7. An Impact Study:
Any processing or activity dealing with personal data must be preceded by a “privacy impact study” which provides for preventive measures for the protection of such data.
In case of doubt or other matters, the supervisory authority must be consulted “in advance” or else, a data protection officer (DPO) must be hired within the organisation. Otherwise, it is possible to delegate this mission to specialised firms. This DPO post is required “if the processing is done by a public authority or public body”.
The mission of the DPO is to ensure “regular and systematic large-scale monitoring of those concerned”. ‘The basic activities of the controller or processor are large-scale processing of particular categories of data referred to in Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
The DPO is involved in all matters relating to the protection of personal data. He checks the compliance with the regulations and advises the controller on its application. Being in contact with the supervisory authority, he responds to the requests of the people of the organisation who wish to exercise their rights.
These provisions apply compulsorily if you start a new project including the processing of personal data.
PS: * The 1995 regulation (article 94), which takes over from the 1978 law. The GDPR mentions a necessary “updating” and “modernization” due in particular to the technological advances and certain drifts. For example, as recently illustrated by the firm Cambridge Analytica accused of having exploited data more than 80 million Facebook users.