Key changes pending in the legal regulation of data protection
The European Parliament, the Commission and the Council have agreed upon the final text of the General Data Protection Regulation, also known as GDPR. The new regulation will replace the Data Protection Directive, which has been in force since 1995. Its aim is to provide security for European citizens' personal data in the modern digital age and to harmonize related legislation in all EU member states.
After long “trialogue” negotiations—3 years after the first proposal—the three governing bodies agreed upon the final text of the General Data Protection Regulation, which was published on 5 May 2016 in the Official Journal of the European Union. GDPR enters into force on 25 May 2018, replacing the Data Protection Directive which has been in effect for over two decades. From that day on, the new privacy regulation will be applicable in all EU member states.
In light of the former directive, which was enacted in 1995, the final text of GDPR incorporates many significant changes into European privacy regulation. Some examples follow.
Consent requirements for people (data subjects) whose personal data is processed include:
What follows is an overview of important business-related changes introduced by GDPR, and of the main obligations imposed by the new regulation.
1 “Privacy by design” refers to the methodology of applying the principles of built-in (by design) and by default data protection. Its key emphasis is that elements of data protection have to be regarded as obligations in as early as the design phase for processes, systems, applications, etc. and data protection aspects also need to be integrated in to the work of business and IT professionals.
Data subjects’ consent as a legal basis for processing personal data is not a new concept in data protection. However, GDPR introduces more rigorous requirements than the former directive. If an enterprise asks for the consent of a client to process his/her personal data, this consent needs to be expressed in an unambiguous way.
What does this mean in practice? The following table shows a non-exhaustive list of instances in which GDPR imposes stricter requirements than the ones stated in the former data protection directive, in terms of how businesses can obtain clients’ consent to the processing of their personal data.
|The client ticks a box
||The box is pre-ticked
|The client signs a consent statement
||The client’s lack of response
|The client chooses privacy-related technical settings when using an online service
||The client’s inactivity
Among the new requirements introduced by GDPR, the most important task for data processors (also affecting data controllers) is to implement organizational and technical solutions that ensure the protection of processed personal data.
While in the former directive this was solely the responsibility of data controllers and the requirements were of a general nature, GDPR includes many specific requirements on the content of contracts between data controllers and data processors and defines new tasks for both controllers and processors.
According to GDPR, data breaches need to be reported to the supervisory authority within 72 hours after the breach has been detected (in Hungary this body is called the National Authority for Data Protection and Freedom of Information, or “NAIH”).
Reporting personal data incidents depends on many factors, like:
One of the most frequently mentioned requirements of the new data protection regulation is the obligation to appoint a data protection officer (DPO). GDPR states that each company whose core activity requires regular and systematic monitoring of data subjects on a large scale, has to appoint a DPO. The same applies for companies who process special categories of personal data on a large scale. Both data controllers and data processors are thus obliged to appoint a DPO.
The DPO may be a staff member or fulfill the tasks on the basis of a service contract as long as his professional qualities, knowledge of data protection law and practices make him suitable for fulfilling such tasks.
When GDPR enters into force, non-compliant enterprises could face fines and the possible payout of compensations.
While the threat that such high fines can be imposed is real, in the short term we do not expect such severe punishment. Enterprises that process large amounts of personal data, however, have to take into consideration that they are likely to be among the first ones whom data protection authorities will review in order to make sure that they are operating in line with GDPR provisions.
Hungarian enterprises have only a year left to make the necessary changes in their operations and organizational structures in order to adhere to the GDPR provisions.