EU General Data Protection Regulation (GDPR) | KPMG | SK

EU General Data Protection Regulation (GDPR)

EU General Data Protection Regulation (GDPR)

The European parliament, Commission and Council have reached an agreement on the General Data Protection Regulation (GDPR) text. This replaces the Data Protection Directive from 1995 and aims at protecting the EU citizen’s personal data in the current digital world whilst harmonizing the legislation for the processing of personal data across the whole EU.

1000

Related content

GDPR

EU General Data Protection Regulation (GDPR)

An agreement on the General Data Protection Regulation (GDPR) text was finally reached on the 15th of December 2015 – three years after its proposal in 2012 - by the European parliament, Commission and Council. The GDPR replaces the Data Protection Directive from 1995 and aims at protecting the EU citizen’s personal data in the current digital world whilst harmonizing the legislation for the processing of personal data across the entire EU. The Regulation entered into force on 24th of May 2016, with an implementation period of 2 years ending on the 25th of May 2018.

New Requirements

With the release of the agreed upon text, it is clear that a number of obligations are completely new, and many have significantly changed compared to the Directive of 1995, such as:

  • requirements for getting consent,
  • new responsibilities for Data Processors,
  • administrative fines,
  • Privacy Impact Assessments (PIA),
  • Privacy by Design & Default (PbD),
  • data breach reporting,
  • data transfer outside of the EU,
  • the mandatory Data Protection Officer (DPO),
  • the right to be forgotten/erased.

Requirements for getting consent

When requesting consent from your client for the processing of their personal data, it should be done in an unambiguous manner, through a statement or a clear affirmative action. Acceptable indicators of an unambiguous consent are ticking a box, placing a signature or explicit affirmative action.

New responsibilities for Data Processors

One of the most impactful new additions – for data processors – is the responsibility that falls jointly upon the data controller and the data processor: the implementation of organizational and technical measures for the protection of the processed personal data.

Administrative fines

With the adoption of the GDPR, administrative fines can be imposed for non-compliance with the Regulation. Non-compliance with the obligations as a data controller or a data processor could result in a fine up to 10 mil. EURO or 2% of the annual global turnover (whichever is higher). Non-compliance with the basic principles for processing (such as consent), the data subject’s (client) rights or the approved data transfer mechanisms, could result in a fine up to 20 mil. EURO or 4% of annual global turnover (whichever is higher).

Privacy Impact Assessments (PIA)

Before data processing, it will be obligatory to analyse its impact on personal data protection.

Privacy by Design & Default (PbD)

Companies will have to prove that security measures are part of the proposal for the personal data processing design. Privacy shall be considered by default.

Data breach reporting

Data breaches should be reported to the supervisory authority (in Slovakia this is the Office for Personal Data Protection of the Slovak Republic) within 72 hours after becoming aware of the breach.

Data transfer outside the EU

There are new rules set for the data transfer outside the EU. The transfer is possible only if the third country is considered safe. In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.

Mandatory Data Protection Officer (DPO)

It has been decided that each data controller or processor processing personal data “at large scale”, regardless whether the personal data is sensitive or not, needs to appoint a Data Protection Officer (DPO).

Right to be forgotten/erased

Clients will get new rights, such as the right to erasure or data transferability.

KPMG Recommendations

To fulfil the requirements of the GDPR Regulation, it is recommended to implement the following steps:

  • comparison of the current systems and the set of procedures employed by your company with the requirements of the Regulation, which includes:
    »  assessment of internal regulations and management processes regarding the processing of the personal data,
    » confirmation key areas of processing local authorities and groups of persons concerned,
    » identify areas that will be subject to an impact on data protection,
  • adjusting the personal data governance,
  • conducting the privacy impact assessment and describe the life cycle process framework and data architecture,
  • identification of relevant business requirements,
  • adjusting organizational design, processes and IT changes, technical implementation all necessary changes (by May 2018).

Connect with us

 

Request for proposal

 

Submit