General Data Protection Regulation
The GDPR (General Data Protection Regulation) is an EU law which deals with personal data and its protection.
It came into force on the 28th of May 2018 and is applicable in all EU Member States, including Malta.
Given the great technological advances of our time, our personal data is at risk of being lost, stolen or misused. Here is where GDPR comes into play.
WHAT’S WHAT?
Personal Data: Any information relating to an identified or potentially identifiable natural person (a normal person)
Data Subject: An individual i.e. a natural person, of whom such personal data is being collected and processed.
Data Controller: An individual or company which determines the purposes and methods through which the processing of data shall occur.
Data Processor: An individual or company which processes the personal data on behalf of the controller.
SO, WHAT’S NEW?
NEW CONSENT REQUIREMENTS
When using consent acquired from the Data Subject, as the legal basis for your processing, such consent should be given as a clear affirmation, i.e. it must be;
If processing sensitive personal data, the consent should be explicit and not simply unambiguous.
If you acquired consent from the Data Subject prior to the introduction of the GDPR, and you are no longer compliant, you must reobtain the Data Subject’s consent.
DATA BREACH NOTIFICATION
Data Controllers must report a data breach to the Information and Data Protection Commissioner (IDPC) not later than 72 hours after having become aware of it.
If such a breach is likely to result in a high risk to the Data Subject’s rights, you must also inform him/her.
A data breach, no matter how big or small, must always be recorded by the Data Protection Officer.
DATA PROTECTION OFFICER
A Data Protection Officer is required under the GDPR in the following circumstances:
Failure to appoint a Data Protection Officer when necessary may open the organization to fines up to 10 million Euro or 2% of global turnover, whichever is higher.
PROVIDING DATA TO DATA SUBJECT
Once a Data Subject asks you for the personal data you hold on him/her, you must provide such data in a concise, transparent, intelligible and easily accessible manner, using simple and clear language.
The data you give to the Data Subject must also include the following:
NEW DATA SUBJECT RIGHTS
Under the GDPR, Data Subjects are afforded new rights when it comes to their personal data, such as;
NEW DATA PROCESSOR OBLIGATIONS
Prior to the GDPR, Data Controllers were the only entities possibly liable when it came to a data breach. Now under the GDPR, action can be taken against Data Processors too.
Not only are Data Processors now liable, thanks to the GDPR, they are also bound to implement and maintain proper security measures to protect and prevent breaches of personal data, as well as having to notify the Data Controller whenever a data breach arises.
Furthermore, the relationship between the Data Controller and the Data Processor must now be regulated through an agreement, which cannot be merely verbal i.e. it must be put down in writing.
ADMINISTRATIVE FINES
The GDPR equips a two-tiered approach when it comes to administering fines for infractions and breaches of personal data;
The IDPC shall undergo numerous considerations and decisions such as the severity of the data breach or the nature of the data affected, amongst many others, when it comes to administering such fines
For personalised assistance contact us
It came into force on the 28th of May 2018 and is applicable in all EU Member States, including Malta.
Given the great technological advances of our time, our personal data is at risk of being lost, stolen or misused. Here is where GDPR comes into play.
WHAT’S WHAT?
Personal Data: Any information relating to an identified or potentially identifiable natural person (a normal person)
Data Subject: An individual i.e. a natural person, of whom such personal data is being collected and processed.
Data Controller: An individual or company which determines the purposes and methods through which the processing of data shall occur.
Data Processor: An individual or company which processes the personal data on behalf of the controller.
SO, WHAT’S NEW?
NEW CONSENT REQUIREMENTS
When using consent acquired from the Data Subject, as the legal basis for your processing, such consent should be given as a clear affirmation, i.e. it must be;
- Unambiguous
- Freely given
- Specific
- Informed
If processing sensitive personal data, the consent should be explicit and not simply unambiguous.
If you acquired consent from the Data Subject prior to the introduction of the GDPR, and you are no longer compliant, you must reobtain the Data Subject’s consent.
DATA BREACH NOTIFICATION
Data Controllers must report a data breach to the Information and Data Protection Commissioner (IDPC) not later than 72 hours after having become aware of it.
If such a breach is likely to result in a high risk to the Data Subject’s rights, you must also inform him/her.
A data breach, no matter how big or small, must always be recorded by the Data Protection Officer.
DATA PROTECTION OFFICER
A Data Protection Officer is required under the GDPR in the following circumstances:
- Where the data processing is carried out by a public authority;
- Where the data processing is done on a large scale;
- Where the processing involves sensitive personal data or relates to criminal convictions and offences on a large scale.
Failure to appoint a Data Protection Officer when necessary may open the organization to fines up to 10 million Euro or 2% of global turnover, whichever is higher.
PROVIDING DATA TO DATA SUBJECT
Once a Data Subject asks you for the personal data you hold on him/her, you must provide such data in a concise, transparent, intelligible and easily accessible manner, using simple and clear language.
The data you give to the Data Subject must also include the following:
- Identity and contact details of the Data Controller;
- Contact details of the Data Protection Officer (if present);
- The purpose of processing his/her data;
- The legal basis/ground for processing his/her data;
- Who has access to his/her data (if any);
- The period for which such personal data is kept;
- His/her new data rights under the GDPR.
NEW DATA SUBJECT RIGHTS
Under the GDPR, Data Subjects are afforded new rights when it comes to their personal data, such as;
- The right to be forgotten;
- The right to data portability;
- The right to information;
- The right to access their data;
- The right to erase their data;
- The right to rectify their data;
- The right to restrict the processing of their data;
- The right to object to the processing of their data;
- The right to lodge a complaint with the IDPC;
- The right to withdraw their consent at any time;
NEW DATA PROCESSOR OBLIGATIONS
Prior to the GDPR, Data Controllers were the only entities possibly liable when it came to a data breach. Now under the GDPR, action can be taken against Data Processors too.
Not only are Data Processors now liable, thanks to the GDPR, they are also bound to implement and maintain proper security measures to protect and prevent breaches of personal data, as well as having to notify the Data Controller whenever a data breach arises.
Furthermore, the relationship between the Data Controller and the Data Processor must now be regulated through an agreement, which cannot be merely verbal i.e. it must be put down in writing.
ADMINISTRATIVE FINES
The GDPR equips a two-tiered approach when it comes to administering fines for infractions and breaches of personal data;
- €10,000,000 or in the case of undertakings, 2% of global turnover, whichever is higher;
- €20,000,000 or in the case of undertakings, 4% of global turnover, whichever is higher;
The IDPC shall undergo numerous considerations and decisions such as the severity of the data breach or the nature of the data affected, amongst many others, when it comes to administering such fines
For personalised assistance contact us