GDPR : one year later

The General Data Protection Regulation (GDPR) came into force on 25th May 2018 to reinforce data protection while also providing enhanced uniformity to current data regulations. The GDPR concerns any person and any organization (company, association, administration, local authority, ...) based in the EU but also non-EU members who manage the data of European individuals. The GDPR law governs the data privacy and protection vis-à-vis how data is handled, collected, stored, processed and destroyed, while getting an explicit consent for its usage and timely reporting any breaches.

Companies should have made the necessary arrangements to analyze their data in order to respond quickly to the privacy requirements formulated by the GDPR.

Data is the fuel of this digital era and privacy is the new currency. GDPR has created the framework to build that trust. 99 articles set out the principles to apply for all companies that hold or process personal data of European individuals. The adoption of the GDPR is necessary since companies are exposed to fines of 4% of their worldwide turnover. Google was fined 50 million euros, due to the lack of information given to its users on the exploitation of their personal data. The same applies to Facebook. Also, more then 200,000 cases have been reported.

GDPR: legal grounds for lawful processing of personal data

  1. Consent as a legal ground for lawful processing
  2. Contractual necessity as a lawful basis for processing
  3. Lawful processing on the ground of legal obligations
  4. Vital interests and lawful personal data processing
  5. Public interest as a basis for lawful processing
  6. Legitimate interests as a legal basis for processing

What to remember?

1- A unified legal framework: Unlike Directive 95/46 / EC, it applies directly to all the countries of the European Union, there is no national transposition.

2- Obligation of consent:

  • Obtaining the consent of the person whose data is being processed will become mandatory.
  • Clear and explicit consent to the collection of data. Article 4.11
  • There can therefore be no consent in case of silence.
  • Lawful treatment in some cases: Article 6.a to 6.f
  • The person whose data is collected may withdraw consent at any time: Article 7.3.

3- Right to rectification and to be forgotten: The persons concerned have the right to rectification and numerical oblivion: Article 17.

4- Treatment register: Detailed records of processing must now be kept by not only the data controller but also any subcontractors. This register must be made available at all times to the supervisory authorities: Article 30.

5- Data breach notification: The supervisory authority and the data subjects must be notified in case of violation of personal data: Articles 33 and 34.

6- Data Protection Impact Assessment (DPIA): The controller must perform, before processing, an analysis of the impact of the processing operations envisaged on the protection of personal data. A single analysis may cover a set of similar processing operations with similar high risks: Article 35

7- Designation of DPO (Data Protection Officer): The DPO will ensure compliance with the law regarding personal data, its designation for public stakeholders and certain private actors is mandatory.

8- Right to data portability: Data subjects may request that the data they provide will be forwarded by the controller to any other data controller: Articles 20, 45 and 49.

The principle of "Privacy by design" must be taken into account at each stage of the data processing course and at each level of the corporation. As an illustration, the pseudonymization of data - the replacement of certain personal data by an alias - makes the person concerned by the data unidentifiable. The privacy of the person will be protected while allowing the company to use the data for the desired purposes. The data is thus "separated" from the identity of the person. Another example consists in minimizing the collection of data - only the data necessary for the purpose sought by the company will be collected.

Data protection must therefore be incorporated into every technology or service dealing with personal data and every time it is used. The measures used by the company must be proportionate to the risks and violations that the processing of personal data may cause. It is necessary to create a trust between the customer of a company and the company, between the suppliers of the company and the company, and especially between the employees of this same company with the company.

GDPR benefits are highlighted in an improved cybersecurity and data governance framework for business efficiency. Non-compliance is a real threat. The greatest way is to start with a data mapping exercise and a gap analysis assessment. Under GDPR, there is no “one-size-fits-all” solution for every organization.