Today on the 8th of December 2016, the Belgian Privacy Law celebrates its 24th birthday. Even though we celebrate its birthday, the countdown for the replacement of the Belgian Privacy Law continues as only 368 working days (532 days) are left before the General Data Protection Regulation (GDPR) enters into force. But what are the consequences of this change that has become such a hot topic? Time for some reflection to look at the highlights.
When looking at the GDPR, one will notice that certain provisions have been expanded and that new elements have been added.
One very crucial element is the scope of the GDPR, which will apply directly in all 28 member states. This means that the organisations and companies no longer have to take into account 28 different national laws, but will, in principle, only have to look at the regulation to know what they should or should not do. Importantly, organisations and companies that are not based in the EU must comply with the GDPR when they are directly involved with personal data in the EU.
With regard to individuals, the EU has listened to their demand of being more in control of their personal data and what happens to it, by expanding their rights. For example, the GDPR has added the right to data portability and now explicitly mentions the right to be forgotten (right to erasure), which was previously based on jurisprudence of the Court of Justice. Also, more attention is given to transparency, which will make the idea of data protection and being in control of the personal data more accessible to individuals.
As a consequence of the extension of the rights of individuals, the controller, being the organisation or company which determines the purposes and means of the processing of personal data, is submitted to more obligations under the GDPR. He must be able to demonstrate compliance with the GDPR (accountability). Demonstrating compliance is supported by different requirements in the GDPR:
- the controller will need to maintain a record of processing instead of notifying
the Data Protection Authority (DPA)
- most controllers must assign a data protection officer (DPO) which will offer support in new and existing projects and acts as a contact person toward the DPA
- the controller shall notify the DPA in case of a data breach within a period of 72 hours
- the controller, together with the DPO, shall implement privacy by design with every new data processing project and when necessary execute a data protection impact assessment (DPIA)
Of course, the implementation of new and expanded obligations and rights will only be effective if there is some form of enforcement. In the past, this was an issue because not all DPA’s had the same competences. To achieve this goal, the powers of the supervisory authorities have been strengthened. Controllers that are not able to demonstrate compliance will face tremendous fines which can go up to 4% of the worldwide turnover or 20 million euros, whichever is higher.
This blog has highlighted some of the most important new and expanded provisions of the GDPR regarding the controller, the individuals and the DPA. After 24 years of resignation, the time has come for companies and organisations to embrace data protection to the fullest. Luckily, there are still 368 working days left.
This article was co-authored by Melissa Jansen and Gwenna Chavatte, who recently joined the Data Protection team at Cranium.