by Daniel Bugeja May 02 2018
The General Data Protection Regulation (GDPR) is a directive that requires all companies to safeguard and protect any personal data of all individuals within the European Union when performing transactions both inside and outside the EU. With only a few weeks left until the GDPR officially replaces the current Data Protection Act, 2011, on the 25th May 2018, it is important to take the necessary steps to guarantee compliance and avoid any penalties that might be incurred.
GDPR will replace the current Data Protection Act, 2011, Chapter 440 of the laws of Malta (DPA). If your business is compliant with the DPA, you probably already fulfil many of the requirements of the GDPR. However, there are some key changes you need to know. I’ve summarised the key differences below to help you consider what action you may need to take to update your existing information systems, there is still time to take action - and there’s no time like now!
What are the differences and how will GDPR affect the way I run my business?
Current: DPA applies only to organisations Malta.
New: GDPR regulations extends its reach to encompass all European States (including Britain even though it is leaving the European Union). It also applies to any global company holding data on EU citizens. (Facebook being one example)
2. Definition of Personal Data
Current: Personal data and sensitive personal data which could identify someone directly or indirectly.
New: Definition is extended to include online information which could identify a person for example IP addresses, mobile device IDs and encrypted data. There are also new responsibilities to protect children’s personal data.
Current: Only the data controller has responsibility for security of information.
New: GDPR also makes the data processor responsible. Companies with more than 250 employees must employ a Data Protection Officer. Consumers could hold both the data processor and the data controller responsible for data breaches.
Current: Under the DPA businesses had to indicate intent and willingness to comply.
New: GDPR means businesses and organisations have mandatory responsibility to demonstrate compliance. Ways in which this can be shown include:
• Staff training
• Internal audits and documentation of data processing activities
• Internal HR policy review
• Meet all the principles of data protection by design
• Implement Protection Impact Assessments
Current: Data collection does not necessarily require an opt-in.
New: Individuals must give explicit consent to opt-in whenever data is collected and there must be clear privacy notices. Those notices must be concise and transparent, and consent must be able to be withdrawn at any time.
6. Subject Access Requests
Current: People have the right to request to see what information you hold about them. These requests are to be adhered to “without excessive delay and without expense”.
New: Under GDPR subject access requests will be free of charge and must be responded to within 30 days.
7. Data Breaches
Current: Companies are not obliged to report data breaches, though it is considered best practice under the current DPA.
New: GDPR carries a mandatory requirement for all data breaches to be reported to the regulator within 72 hours.
8. Data Removal
Current: There is no requirement for an organisation to remove all data they hold on an individual.
New: An individual will have the ‘right to erasure’, which includes all data including web records with all information being permanently deleted.
9. Enforcement and Penalties
Current: Enforced by the Information and Data Protection Commissioner’s Office (IDPC) in the Malta. It can issue fines of up to €23,300 for each violation and fifty €50 for each day during which such violation persists.
New: Each European country will have its own supervisory authority to monitor GDPR compliance. The IDPC will be the supervisory authority in Malta. From the 25th May 2018, organisations that fail to comply with GDPR could be fined up to €20 million or 4% of their annual global turnover, whichever is higher.
10. Privacy by Design
Current: Protection Impact Assessments (PIAs or DPIAs) are not a legal requirement under DPA.
New: DPIAs will be mandatory and must be carried out when there may be a high risk to the freedoms of the individual. A DPIA helps an organisation to ensure they meet an individual’s expectation of privacy.