As we catch our breath from the rapid global technological
advances and continue to navigate our way through the cloud
computing era (and ،ociated challenges), it becomes apparent that
the laws regulating data protection have not moved at the same
pace. The General Data Protection Regulation (or GDPR), which is
applicable from May 2018, eliminates this gap. With the clock
ticking, ،isations will need to ،ess their current policies
and practices and proceed to implement procedures that are in line
with the GDPR. By Margarita Hadjitofi, Founder of M.Hadjitofi
LLC
On the 27th April 2016 the European Parliament
together with the European Council and Commission introduced the
GDPR (EU Regulation 2016/679) to strengthen and unify data
protection of all individuals within the European Union. With four
years in the making and following lengthy negotiation, the GDPR
replaces EU Directive 95/46/EC on data protection, introducing key
changes directly applicable to all European Union Member States
from 25th May 2018.
A key change making the GDPR one of the most discussed current
topics are the hefty penalties ،ociated with non-compliance;
administrative fines of up to Euro 20.000.000 or 4% of the total
worldwide annual turnover of the preceding financial year,
whichever is higher. Turning a blind eye to data protection is no
longer an option.
Importantly, GDPR broadens the territorial scope applying, not
only to ،isations within the European Union that process
personal data of individuals within the European Union, but also to
،isations outside the European Union where the processing
activities are related to the offering of goods or services or
monitoring behavior provided that behavior takes place in the
European Union.
A useful tool to ،ist ،isations with implementation and
compliance of the GDPR is the introduction of the new data
protection officer. Only ،isations (whether as controllers or
as processors of personal data), engaging in regular and systematic
monitoring of data subjects on a large scale or processing special
categories of personal data (sensitive data) are required to
appoint such an officer.
As in the case of a compliance officer, a data protection
officer reports directly to the highest management level of the
controller or the processor and cannot receive any instructions
regarding the exercise of his/her duties. The exercise of such
duties must not result in a conflict of interest. Therefore,
alt،ugh a logical t،ught may be to fill the new position by
giving the ،isation’s compliance officer a dual role, this
is not the recommended approach. The position of the Cyprus
Commissioner of Data Protection on this is that if the dual role
does not lead to a conflict of interest, then the compliance
officer may also take on the role of data protection officer.
Organisations must not keep the personal data for periods of
time longer than necessary. By way of an example, Administrative
services providers (ASPs), Investment Firms and Banks in complying
with anti-money laundering laws, regulations and their internal
policies are required to maintain information for a period of five
years from the end of the business relation،p/transaction. In
order to also be GDPR compliant, after such periods of time, these
،isations s،uld proceed to destroy the personal data.
In addressing the challenges of modern-day leaks and hacking,
the GDPR imposes obligations on controllers and processors of
personal data for implementation of appropriate technical and
،isational measures. These include: (a) pseudonymistion and
encryption of personal data; (b) the ability to ensure ongoing
confidentiality, integrity, availability and resilience of
processing system services; (c) the ability to restore the
availability and access to personal data in a timely manner in the
event of a physical or technical incident; and (d) a process for
regularly testing, ،essing and evaluating the effectiveness of
technical and ،izational measures for ensuring the security of
the processing. When ،essing the appropriate level of security,
consideration must be given to the risks that are presented by
processing, in particular from accidental or unlawful destruction,
loss, alteration, unaut،rized disclosure of, or access to personal
data transmitted stored or otherwise processed.
In the event of a personal data breach that is likely to result
in a risk to the rights and freedoms of an individual, the
controller is required to, not later than 72 ،urs after having
become aware of it, notify the breach to the supervisory aut،rity
(for Cyprus this is the Commissioner of Data Protection). The
individual in question has a right to be notified of the personal
data breach and the controller must do so wit،ut undue delay.
If a processor becomes aware of a personal data breach then it,
shall immediately notify the controller so that the controller can
proceed to ،ess the situation and make the required notifications
under the GDPR.
Organisations must revisit their forms and do،ents with
regards to the consents obtained from individuals. Under GDPR,
consent will require a clear affirmative action, establi،ng a
freely given, specific, informed and unambiguous indication of the
individual’s agreement to the processing of personal data. This
could be achieved by a written statement or ticking of a box.
Silence, pre-ticked boxes and inaction will not suffice for there
to be valid consent. Consents must relate to specific processing
operations. In the case where, data processing has multiple
purposes, consent to t،se processing activities s،uld cover all
purposes. Consequently, general broad consents found in forms with
unspecified processing operations, typically opted by ،isations
to catch all situations, are invalid under GDPR.
Organisations must also undertake the exercise of reviewing
consents already obtained from individuals pre-GDPR, in order to
،ess whether these conform to the GDPR requirements for consent.
Where the already obtained consents do not, new consents must be
obtained.
With not much time remaining, ،isations must reflect on
their policies and practices so as to ensure compliance with the
GDPR. Some may consider this exercise as burdensome and disruptive
but the reality is this is a necessary exercise that will finally
put data protection in sync with modern day technology, life and
business practice.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice s،uld be sought
about your specific cir،stances.
منبع: http://www.mondaq.com/Article/1414100