Are you ready for the GDPR? | KPMG | BE

Are you ready for the General Data Protection Regulation?

Are you ready for the GDPR?

The European parliament, commission and counsel have reached an agreement on the General Data Protection Regulation (GDPR) text.

1000

Related content

This will replace the Data Protection Directive from 1995 and aims at protecting the EU citizen’s personal data in the current digital world whilst harmonizing the legislation for the processing of personal data across the whole EU.

An agreement on the General Data Protection Regulation (GDPR) text was finally reached on the 15th of December 2015 – three years after its proposal in 2012 - by the European parliament, commission and counsel. The GDPR will replace the Data Protection Directive from 1995 and aims at protecting the EU citizen’s personal data in the current digital world whilst harmonizing the legislation for the processing of personal data across the entire EU.

The Regulation has been adopted by the European Parliament on 14 April 2016 and entered into force on the 24th of May 2016, with a transition period of 2 years, meaning that the regulation will be fully applicable on 25 May 2018.

With the release of the agreed upon text, it is clear that a number of obligations are completely new, and many have significantly changed compared to the Directive of 1995, such as:

  • Requirements for getting consent
  • Administrative fines
  • Privacy Impact Assessments (PIA)
  • Privacy by Design & Default (PbD)
  • Data breach reporting
  • Data transfer outside of the EU
  • Mandatory Data Protection Officer (DPO)
  • The right to be forgotten/erased.

Take a closer look at a number of high impact changes and new obligations of the GDPR:

 

1. Consent (changed)

The aspect of consent is not new, yet the requirements have been tightened significantly in the new GDPR. When requesting consent from your client for the processing of their personal data, it should be done in an unambiguous manner, through a statement or a clear affirmative action.

Below we have outlined what is considered to be acceptable (+) and not acceptable (-) as an unambiguous consent (note this list is non-exhaustive).

 

Pros

  • Ticking a box (opt-in) 
  • Placing a signature 
  • Explicit affirmative action

 

Cons

  • Silence
  • Pre-ticket boxes (opt-out)
  • Inactivity

 

Things to think about:

  • Using opt-out mechanisms are no longer sufficient as a sign of consent from the client. Organizations will have to change their consent settings on all of their platforms, paper and digital, - where required – in order to become compliant.
  • Organizations will need to make sure that the consent mechanism is closely linked to their processing activity in order to prevent illegal (unlawful) processing. Processing personal data without valid consent is considered to be illegal.

 

2. New responsibilities for Data Processors (new)

One of the most impactful new additions – for data processors - is the responsibility that falls jointly upon the data controller and the data processor: the implementation of organizational and technical measures for the protection of the processed personal data. Whereas, under the Directive of 1995, this responsibility would lie entirely with the data controller, the data processor will now also need to implement safeguards in order to be compliant with the GDPR.

Things to think about:

  • Data processors will need to assess whether the existing measures are sufficient in terms of the purpose and extent of processing, the amount of data collected, the period of data storage, and the accessibility of the data. (Privacy by Default)
  • A processing agreement will remain the basis for establishing the purpose and extent of the data processing activities between the data controller and processor, where the explicit identification of security measures is possible (and desirable).

 

3. Data Breach reporting (new)

  1. Data breaches should be reported to the supervisory authority (in Belgium this is the Commission for the Protection of Privacy, CPP) within 72 hours after becoming aware of the breach.
  2. Reporting on personal data breaches will depend on a number of things:
  3. Does the organization know where all its personal data is located? Where personal data can be breached?
  4. Does the organization have the capabilities of detecting when a breach has occurred? Do you know if you have been breached?
  5. Do you have the necessary processes and procedures in place to swiftly respond to the data breach? How much time does it take to deal with such a breach? Will 72 hours be enough?

Things to think about:

  • Responding to data breaches will require a well thought-through flow of actions from a range of different people and reporting will be one of those actions. Defining the actions and testing (dry-run) them in advance will only improve the response time once confronted with an actual data breach.
  • Data breaches, no matter which size or impact, will need to be logged and documented in order to retroactively demonstrate compliance to the GDPR.

 

4. Mandatory Data Protection Officer (new)

The mandatory Data Protection Officer, has been one of the most talked about requirements in the GDPR. With the release of the GDPR it has been decided that each data controller or processor processing personal data “at large scale”, regardless whether the personal data is sensitive or not, needs to appoint a Data Protection Officer (DPO).

This role can be filled in by an internal employee or an external contractor as long as the individual is appointed based on their professional qualities and expert knowledge of the data protection legislation and practices. How this expert knowledge should be interpreted is not yet clearly defined.

Things to think about:

  • The DPO will fill an independent position with a lot of (possible) influence on the business. It’s important that assigning this position is not taken lightly.
  • The DPO should understand the company’s business as well as have expert knowledge on the data privacy requirements and regulations, in order to provide adequate advise to the organization and correctly represent the company toward the Data Privacy Authority (Privacy Commission).

 

5.Fines up to 20M EUR or 4% of global annual turnover (new)

With the adoption of the GDPR, administrative fines can be imposed for non-compliance with the regulation.

  • Non-compliance with the obligations as a data controller or a data processor could result in a fine up to 10M EUR or 2% of the annual global turnover (whichever is higher).
  • Non-compliance with the basic principles for processing (such as consent), the data subject’s (client) rights or the approved data transfer mechanisms, could result in a fine up to 20M EUR or 4% of annual global turnover (whichever is higher).

Even though so called monster fines will be possible, we do not expect to see them in the next couple of years. Large organizations that process large amounts of personal data should, however, be aware that they might be one of the first to hear the data protection authority knocking on their door to check on their compliance with the GDPR.

Things to think about:

  • Fines will be imposed in case of non-compliance, so first focus on bringing the organization into compliance with the regulation and second, make sure the organization can prove its compliance through the necessary records (e.g. Privacy Impact Assessments, data breach records, consent, etc.).
  • Belgian companies will have a two year timeframe to become compliant with the new regulation by pushing through operational and organizational reforms where necessary.

© 2017 KPMG Advisory, a Belgian civil CVBA/SCRL and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.

Connect with us

 

Request for proposal

 

Submit