We are pleased that, with the imminent arrival of the General Data Protection Regulation (GDPR) by the EU, we can once again put our money where our mouth is.
As many of you know, our company name aewacs was inspired by NATO’s Airborne Warning And Control System. The GDPR will as of May 25th 2018 for the most part apply directly in all EU Member States. It will concern almost all processing by organizations in the EU or by organizations outside the EU that target EU residents.
Key implications and measures
Meeting the GDPR’s requirements is important. Therefore, we have taken the liberty to engage our law firm Norton Rose Fulbright to inform you on the key implications and measures to be taken. While at it, we will explain what measures we have taken on our part to safeguard your data and comply with the new guidelines.
Replacement of current privacy legislation
The GDPR is designed to give residents of the EU more rights, control, and awareness about how their personal information is used whenever they submit it to public and private organizations. The GDPR will replace the current privacy legislation. The current legislation is derived from an EU directive dating back to 1995. A lot of the starting points of the current legislation have not significantly changed. Under the GDPR, personal data can also only be processed based on a legitimate legal ground (e.g. performance of a contract or asking explicit consent). Also, organizations should continue to inform individuals about the processing of their processing data.
Most ambitious and comprehensive changes since 1995
Nonetheless, the GDPR presents the most ambitious and comprehensive changes to data protection rules around the world since 1995:
- The maximum fines for non-compliance are €20 million or 4% of the organization’s worldwide turnover if the €20 million is not deemed adequate. This means that organizations can no longer take a somewhat passive approach towards compliance (as many companies did under the current rules).
- The GDPR introduces the concept of accountability. Organizations will not only need to comply with the rules but also be able to demonstrate this. They should be able to substantiate that they indeed have considered all applicable GDPR’s requirements in relation to their use of personal data. Furthermore, they must have implemented a system or program that allows them to achieve compliance. The GDPR requires organizations to implement a few instruments that effectively help them to demonstrate accountability:
- Most organizations are obliged to implement and maintain a written record of processing activities under their responsibility. The register should (a.o.) include a detailed specification of how personal data of clients, employees and others is being used within the organization, the purposes of such use, and the time limits for erasure of the data;
- Pursuant to the GDPR, organizations need to carry out privacy impact assessments (PIA’s) in certain circumstances. Specifically, PIA’s must be carried out where a type of processing is likely to result in a high risk for the rights and freedoms of individuals. All PIA’s must be done in writing.
- The rights of individuals whose personal data is being processed (data subject rights) will be significantly enhanced under de GDPR. Upon request by an individual, the organization will (a.o.):
- need to provide a copy of the personal data that such organization possesses in relation to that individual;
- facilitate the transmission of personal data to a new service provider (e.g. if the individual moves from one insurer to the other, the old insurer is obliged to transfer the relevant personal data to the new one);
- under circumstances, have to delete all personal data in relation to that individual.
- Other actions that may, depending on the nature and size of a business, be necessary include:
- appointing a data protection officer;
- putting in place a data breach response and notification procedure; and
- educating the business and senior management about the requirements under the GDPR.
It is important to note that the specific necessary actions may differ between organizations. If your organization needs assistance with analysing and implementing changes arising from the application of the GDPR please contact us. We’ll put you in touch with our lawyers.
Photo by Foto-Rabe
Subscribe to our newsletter
Stay informed about our latest updates through email. Subscribe here.