Compliance with EU privacy regulation (GDPR) | KPMG Hungary

Is your enterprise prepared to ensure compliance with the EU's new, stricter privacy regulation?

Compliance with EU privacy regulation (GDPR)

Key changes pending in the legal regulation of data protection

1000

Contact

Related content

The European Parliament, the Commission and the Council have agreed upon the final text of the General Data Protection Regulation, also known as GDPR. The new regulation will replace the Data Protection Directive, which has been in force since 1995. Its aim is to provide security for European citizens' personal data in the modern digital age and to harmonize related legislation in all EU member states.


After long “trialogue” negotiations—3 years after the first proposal—the three governing bodies agreed upon the final text of the General Data Protection Regulation, which was published on 5 May 2016 in the Official Journal of the European Union. GDPR enters into force on 25 May 2018, replacing the Data Protection Directive which has been in effect for over two decades. From that day on, the new privacy regulation will be applicable in all EU member states.


In light of the former directive, which was enacted in 1995, the final text of GDPR incorporates many significant changes into European privacy regulation. Some examples follow.

Consent requirements for people (data subjects) whose personal data is processed include:

  • The right to have one’s personal data forgotten;
  • Compliance with the “Privacy by design”1 principle;
  • Data protection impact assessment;
  • Appointing a dedicated data protection officer;
  • Restrictions regarding data transfer to non-EU countries;
  • Communication of a personal data breach;
  • Compensation and administrative fines.


What follows is an overview of important business-related changes introduced by GDPR, and of the main obligations imposed by the new regulation.

1 “Privacy by design” refers to the methodology of applying the principles of built-in (by design) and by default data protection. Its key emphasis is that elements of data protection have to be regarded as obligations in as early as the design phase for processes, systems, applications, etc. and data protection aspects also need to be integrated in to the work of business and IT professionals.

1. Requirements regarding the consent of data subjects

Data subjects’ consent as a legal basis for processing personal data is not a new concept in data protection. However, GDPR introduces more rigorous requirements than the former directive. If an enterprise asks for the consent of a client to process his/her personal data, this consent needs to be expressed in an unambiguous way.


What does this mean in practice? The following table shows a non-exhaustive list of instances in which GDPR imposes stricter requirements than the ones stated in the former data protection directive, in terms of how businesses can obtain clients’ consent to the processing of their personal data.

 

+
The client ticks a box
The box is pre-ticked
The client signs a consent statement
The client’s lack of response
The client chooses privacy-related technical settings when using an online service
The client’s inactivity

 

Noteworthy:

  • In future, passive consent does not count as an agreement to the processing of one’s personal data. As a result, organizations need to change their privacy consent settings for all digital and non-digital platforms in order to be compliant with GDPR.
  • Furthermore, in order to prevent unlawful data processing, enterprises need to ensure that the consent mechanism is tightly connected with their data processing activity. Processing data without the valid consent of a data subject is considered a breach of law.

2. New tasks for data processors

Among the new requirements introduced by GDPR, the most important task for data processors (also affecting data controllers) is to implement organizational and technical solutions that ensure the protection of processed personal data.


While in the former directive this was solely the responsibility of data controllers and the requirements were of a general nature, GDPR includes many specific requirements on the content of contracts between data controllers and data processors and defines new tasks for both controllers and processors.


Noteworthy:

  • Contracts between data controllers and data processors remain the basis for data processing activities. According to GDPR, such contracts need to include that the data processor is obliged to carry out data security measures stated in GDPR regarding—among others—the encryption of personal data, pseudonymization and business continuity. As a consequence, contracts between data controllers and data processors might need revision.
  • Data processors need to assess whether their existing solutions are appropriate to the purpose and grade of data processing, amount of the collected data, retention time as well as access to the data (privacy by default).

3. Communication of a personal data breach (new)

According to GDPR, data breaches need to be reported to the supervisory authority within 72 hours after the breach has been detected (in Hungary this body is called the National Authority for Data Protection and Freedom of Information, or “NAIH”).


Reporting personal data incidents depends on many factors, like:

  1. Does the organization know exactly where it stores personal data in its systems? Where can data be subject to a security incident?
  2. Does the company possess the capabilities necessary for detecting data breaches? Does the organization become aware of a data breach if it occurs?
  3. Have appropriate processes and procedures been implemented that enable a quick response to data incidents?


Noteworthy:

  • When responding to a data breach, a company needs to carry out a series of well-considered steps which require the co-operation of various employees working in various fields. One of these steps is the reporting of the incident. The swiftness of response time can be significantly increased if the steps to be carried out were defined and tested before an actual data breach occurred.
  • Data protection incidents have to be logged and documented—independent of their range and impact on the organization—so that the enterprise can even verify its compliance with GDPR after the fact.

4. Data protection officer

One of the most frequently mentioned requirements of the new data protection regulation is the obligation to appoint a data protection officer (DPO). GDPR states that each company whose core activity requires regular and systematic monitoring of data subjects on a large scale, has to appoint a DPO. The same applies for companies who process special categories of personal data on a large scale. Both data controllers and data processors are thus obliged to appoint a DPO.


The DPO may be a staff member or fulfill the tasks on the basis of a service contract as long as his professional qualities, knowledge of data protection law and practices make him suitable for fulfilling such tasks.


Noteworthy:

  • The data protection officer holds an independent position and is likely to have significant influence on business decisions. Thus, the creation of this position is a great responsibility for enterprises. The DPO needs to have a clear view of the company's business activity and must possess extensive professional knowledge of data protection requirements and legal compliance. These qualifications make him/her capable of giving appropriate professional advice to the company and enable that individual to represent the organization at the data protection authority.

5. Compensation and fines up to EUR 20 million or 4% of an enterprise’s annual global turnover

When GDPR enters into force, non-compliant enterprises could face fines and the possible payout of compensations.

  • For infringement of the obligatory provisions, data controllers and data processors are potentially liable to administrative fines up to EUR 10 million, or 2% of the enterprise’s total worldwide annual turnover—whichever is higher.
  • For infringement of the basic principles of data processing (including conditions for consent), the principles for data transfer, or the rights of the data subject the responsible authority can mete out an administrative fine up to EUR 20 million or 4% of the enterprise’s total worldwide annual turnover—whichever is higher.

While the threat that such high fines can be imposed is real, in the short term we do not expect such severe punishment. Enterprises that process large amounts of personal data, however, have to take into consideration that they are likely to be among the first ones whom data protection authorities will review in order to make sure that they are operating in line with GDPR provisions.


Noteworthy:

  • To avoid fines it is important to ensure that the enterprise operates in accordance with GDPR at the organizational level and possesses all documents that are necessary to prove compliance towards the responsible authority (e.g. data protection impact assessment; documentation of data breaches; consent of data subjects, etc.).


Hungarian enterprises have only a year left to make the necessary changes in their operations and organizational structures in order to adhere to the GDPR provisions.

Connect with us

 

Request for proposal

 

Submit