GDPR: New law, similar wishes to protect what remains valuable
The expansive value of data no longer needs an explanation. This ‘new asset’ continues to become more valuable for organisations over time. Regulations that force us to handle sensitive, personal data in a proper way helps us to protect what is valuable.
With all current attention focused on privacy and the possibly new Intelligence and Security Services Act (WIV), people tend to forget other regulations also came into force: the General Data Protection Regulation, GDPR for short. This new law brings high expectations: is this going to be the new millenium bug, or will this be just another law thatlaw, that slowly slips into oblivion?oblivion.
For whom relevant?
GDPR became effective on the 25th of May, 2018 and in the Netherlands replaced the Personal Data Protection Act (WBP). The latter was implemented back in 2001 and was based on (95/46/EG) European guidelines.
The GDPR bears direct consequences for both processors and controllers. These terms lead to two other important definitions: Personal data(1) and processing(2).
The most important changes for processors
Afraid of deciphering the complete European lawbook when trying to process personal data? No worries. In factin fact; the new GDPR shows many similarities with the old WBP. The three most important changes are:
The data processor agreement
When a responsible third party appoints a third party processor, a processor agreement has to be signed. This is not anything new; this obligation already existed, but purely for the main responsible. After the 25th of May 2018, the third party processor will become partly responsible and therefore also has to sign the data processor agreement. What does such an agreement entail exactly? It must contain agreements in terms of the subject, duration and the goal of the processing, but details on securing personal data as well. The latter is a commitment made by the processor and therefore has to include certain terms on the confidentiality of the data, partaking in audits, acting when data leakage occurs and must include details on technical and organisational measures. This also was part of the traditional WBP; the GDPR mainly concretizes this.
One of the major changes the new GDPR entails compared with the traditional WBP is the size of the scope. For example, even when the concerned processing party and responsibles are not physically located in the EU, they have to comply with this law. This is determined by examining whether the party in question delivers goods and/or services to parties located within the EU, or if they monitor the behaviour of these parties for sales purposes. It doesn’tdoes not matter if they use datacenters or other resources within the EU.
The consequences of breaking the GDPR law are clear: breaking=paying. This regulation too, is much like the old one, apart from the fact that the processor has additional responsibilities, meaning that the scope of the liability has grown. In case of not properly applying GDPR, compensation money can be demanded by any party that was both materially or immaterially harmed as a consequence of a breach. Additionally, a fine can be levied by the regulatory body (Autoriteit Persoonsgegevens in the Netherlands). New is the amount of the fine. As of now, this fine can reach amounts of up to €20 million or 4% annual global turnover of the company the legal person belongs to – whichever is higher.
Most important changes for the responsible party:
Bottom line: remain calm, as this law is just an extension of an already existing law and its main purpose is to protect our most valuable data.
- Officer responsible for data collection
- Documentation requirements
- Obligation to report data breaches
It may be unexpected, especially concerning a hot topic like privacy, but many of the new regulations are similar to the old ones. The ‘new’ regulations are in line with what we have seen before in the Netherlands, meaning there is no question about it being a millenial bug. When we wake up on the 26th of May 2018, the world will be exactly the same as today.
Further clarification of definitions:
1) Personal data entails all information regarding an identified or identifiable natural person. This means an individual that can be identified by his/her name, identification number, location information or other aspects that characterize the physical, economical, cultural or social identity of a natural person. Beware of the fact that a company is not a natural person.
2) Processing is understood to mean an operation or a set of actions concerning personal data or a set of personal data (e.g. by means of automated processing) such as collecting, recording, storing, deleting or destroying data. The processor is the one that processes this data. A processor often does this for another person, the controller. This is the legal person that is determining the actual purpose of the data processing. As an example, one could think of a hospital that hires an IT company to store their personnel data in such a way that it is easily accessible for the financial department to pay their wages. In this case the hospital is responsible, within the IT company the processor.
As soon as processing of personal data comes into play, the GDPR applies. This is due to the fact that the GDPR is effective in all of the EU member states. This saves regulatory bodies the task of converting the laws into national legislation. In case of conflict with the national law, the GDPR overrules.