Part 1: Important dates, why the GDPR and the main changes compared to existing legislation
The General Data Protection Regulation (Regulation 2016/679 of the European Parliament and of the Council), abbreviated as “GDPR”, is a European regulation which aims to strengthen the protection granted to natural persons who are citizens of the EU with regard to the processing of their personal data.
The regulation was adopted on 27 April 2016 and will be effective from 25 May 2018. On this date it will supersede all previous national provisions.
The GDPR has varying implications and applications depending on your position in the data exchange ecosystem. In this series of articles, we aim to go through some of the implications and applications of the new regulation. The articles have been written from the angle of how the GDPR will impact the services provided by Pagero and other companies engaged in e-document exchange.
Some background and important dates
There is already legislation in place: to start with there is the Data Protection Directive, which became effective on 24 October 1998. This directive introduces some minimum requirements and general guidance from the EU level. Each Member State then has to implement it, but when doing so they are granted a fair degree of freedom to implement it in a way that suits them. So instead of having a single framework in the EU, we currently have as many types of legislation as there are Member States, since everyone has chosen to implement the directive in a different way.
Over time the EU Commission has collected comprehensive feedback on the implementation of the directive and related problems and codified this in the General Data Privacy Regulation, which was published in May 2016 and will be effective as of 25 May 2018.
The GDPR will introduce several innovations which I will go through in detail below. But one point that I think is important to highlight now is that this will be a global regulation. With the GDPR, the European data protection law will become applicable outside the borders of the EU, because it regulates the processing of the data of EU citizens. This means that any company, whether it is based in India, Australia, China or Canada, that is processing the data of EU citizens will have to follow the GDPR.
The main reasons for introducing the new regulation
You may ask yourself why the EU has decided to implement this new legislation. A few important reasons are listed below:
- Growth of the Internet and online services;
- Growth of cloud services and outsourcing;
- Inconsistent implementation and interpretation of the current data privacy directive (the Data Protection Directive) by Member States – The principle of data publicity varies significantly among Member States. While in Northern Europe, especially in Sweden, everything is public unless it is explicitly made secret, in Southern Europe, everything is secret unless it is specifically made public. You might be surprised by the practical implications of such a trivial difference when you try to live in accordance with country-specific regulations. Offering pan-European coverage while adhering to each Member State’s regulations is extremely complex;
- So-called “mission creep”, in which data is used for initially unforeseen purposes – Initially, perhaps, the idea is to use the data for one type of analysis, but then the data collector realises that there are other beneficial ways of using this data; for example, for marketing. The regulators saw that it is too easy to abuse data and use it for purposes other than those for which it was initially intended;
- A growing level of data breaches (take Uber and Equifax in the US as just two out of many examples), data leaks and governmental surveillance;
- The vulnerability of children in particular.
Five important changes compared to the existing legislation
I have tried to summarise the main differences between the existing directive and the new regulation. There are, of course, further differences if you study the GDPR in detail, but in my opinion these are the five main changes:
1. The scope of the GDPR
- The GDPR is replacing the current data privacy directive and thus all Member States’ local regulations.
- The current directive covers companies registered in the EU, while the new regulation applies to the processing of the personal details of EU citizens irrespective of where the data processing takes place. It makes the place of registration or the domicile of the company processing the data completely irrelevant.
2. It confers a broad set of rights on the data subjects (meaning the private persons)
- The right of access – the private person has the right to request all the personal details that a company has about themselves.
- The right of rectification – if there is a misrepresentation or incorrect data related to the private person, they have the right to have it corrected.
- The right to be forgotten – the private person has the right to request that all personal details about themselves be deleted. This right, I would say, is quite misrepresented in the mainstream media. It doesn’t mean that a company is obliged to delete all data about a private person just because they are asked to do so. The company is obliged to do so if there are no legal grounds for processing the data. To give an example: if book-keeping data has to be archived, for instance, for seven or ten years depending on the country, then the data has to stay in the archive for that period of time. Thus the right to be forgotten in this case means that only once the archiving time has expired can the data be deleted.
- The right to restriction of processing – the data can be processed only for explicitly specified purposes.
- The right to data portability – not only can the private person request all data about themselves, they should also be able to get a copy of such data.
3. Besides increasing the obligations of data controllers, the GDPR also introduces requirements for data processors.
The current directive does not impose any requirements on the latter group. Outlined below are a few implications for both groups of the new regulation:
- Privacy by design – an approach to systems engineering which takes privacy into account throughout the whole engineering process;
- Greater requirements for documentation and information within a company, so that employees are better informed about how they should be handling personal data; and, of course,
- Security and risk management along with the technical measures that a company needs to take to keep data safe.
4. It will be mandatory to report a data breach or incident to the relevant Member State’s Data Protection Authority (DPA).
5. There will be heavy penalties for companies that do not follow the regulation.
Now you have some basic background information about the GDPR. In our next article, we will take a closer look at the term “personal data” – what it actually means and, more specifically, what personal data is in Pagero’s line of business.
This article was written by Nazar Paradivskyy, Head of Compliance at Pagero Group, together with Fredrik Hjorth, a consultant from Transcendent Group. He is currently helping Pagero to implement the changes required by the GDPR. Fredrik has long experience of legislation in the privacy field and has solid experience from banking and finance.