Written by: Albert Gibosse
Disclaimer: This article is not a legal advice for your company to use in complying with EU data privacy laws like the GDPR. Instead, it provides background information to help you better understand how Blue Label weekly Magazine has addressed some important legal points. This legal information is not the same as legal advice, where an attorney applies the law to your specific circumstances, so we insist that you consult an attorney if you’d like advice on your interpretation of this information or its accuracy. In a nutshell, you may not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.
Does the GDPR apply to me?
While the old EU legislation (the 1995 EU Data Protection Directive) governed entities within the EU, the territorial scope of the GDPR is far wider in that it will also apply to non-EU businesses who a) market their products to people in the EU or who b) monitor the behavior of people in the EU. In other words, even if you’re based outside of the EU but you control or process the data of EU citizens, the GDPR will apply to you.
The most important changes under the GDPR
- Individual’s Rights
- Internal Procedures
- Supervisory Authorities
- Scope, Accountability and Penalties
- Need assistance with you GDPR Compliance please got to: https://bluelabelweeklymagazine.wordpress.com/create-a-gdpr-strategy/
- or email us at email@example.com and type ” GDPR Readiness” in the Subject Field.
The data controller (usually a company) must always ensure that the data subject has given their consent prior to submitting their information.. The GDPR steps up the standard for disclosures when obtaining consent, as it needs to be “freely given, specific, informed and unambiguous,” with controllers using “clear and plain” legal language that is “clearly distinguishable from other matters
New Rights for Individuals
The regulation also builds in two new rights for data subjects: a “right to be forgotten” that requires controllers to alert downstream recipients of deletion requests and a “right to data portability” that allows data subjects to demand a copy of their data in a common format. These two rights will now make it easier for users to request that any information stored should be deleted or that information that has been collected should be shared with them.
Data subjects always had a right to request access to their data. But the GDPR enhances these rights. In most cases, you will not be able to charge for processing an access request, unless you can demonstrate that the cost will be excessive. The timescale for processing an access request will also drop to a 30 day period. In certain cases, organizations may refuse to grant an access request, for example where the request is deemed manifestly unfounded or excessive. However, organizations will need to have clear refusal policies and procedures in place, and demonstrate why the request meets these criteria.
If you’re already a Blue Label weekly Magazine customer or partner, please contact your account manager if you have any further questions, comments or suggestions. If you don’t yet have a business relationship with Blue Label weekly Magazine please drop us a line at firstname.lastname@example.org
Learn more about the GDPR compliance
Before the GDPR, DPD rules were as follows,
- obtain and process the personal data fairly
- Keep it only for one or more specified and lawful purposesProcess it only in ways compatible with the purposes for which it was given to you initially
- Keep it safe and secure
- Keep it accurate and up-to-date
- Ensure that it is adequate, relevant and not excessive
- Retain it no longer than is necessary for the specified purpose or purposes
- Give a copy of his/her personal data to any individual, on request.
The DPD is a Directive, which is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals. In Ireland for example, the goals of the DPD were implemented through the Irish Data Protection Act, 1998.
A Regulation on the other hand, such as the GDPR, is a binding legislative act which applies in its entirety across the EU.
Double-opt-in is a 2-step mechanism where a person must confirm their email address after initially signing up. The GDPR does not require double-opt in (though certain countries may make this mandatory).
It’s worth noting that subscribers to the Blue Label weekly Magazine service may already choose to enable double-opt-in functionality in their portals as an additional protective measure in proving they obtained the required consent.
How will Brexit impact the compliance for businesses based in the UK?
In June 2016, a majority of UK voters voted in favour of leaving the EU in the “Brexit” referendum. In March 2017, Theresa May gave notice to leave the EU under Art. 50 which triggered the commencement of the Brexit negotiations and meant that the UK will leave the EU on the sooner of withdrawal terms being agreed and the expiry of two years from giving notice, so by end March 2019. Therefore, it’s highly likely that the UK will still be part of the EU by the May 2018 GDPR deadline. This means if you’re based in the UK, you’ll need to work on your compliance as if Brexit never occurred.
The UK has drafted legislation to update the current Data Protection Act (DPD) in line with the GDPR. The bill is currently working its way through the UK Parliament.
If you’re based outside the UK but have vendors or affiliates in the UK with whom you share personal data, you’ll also need to keep an eye on developments in this area. When the UK leaves, cross-border data flows may not automatically have adequate safeguards and therefore additional projections may be required to protect data you transfer to the UK.
- obtain details about how their data is processed
How will the Rights of Individuals be affected by the GDPR?
Individuals already have a lot of rights which protect their personal data under the 1995 Data Protection Directive, but the GDPR significantly strengthens these rights such that data subjects can now:
- obtain copies of personal data that an organisation holds on them;
- have incorrect or incomplete data corrected;
- have their data erased by an organisation, where, for example, the organisation has no legitimate reason for retaining the data;
- obtain their data from an organisation and to have that data transmitted to another organisation (Data Portability);
- object to the processing of their data by an organisation in certain circumstances;
- not to be subject to (with some exceptions) automated decision making, including profiling.
Data storage location
There is no obligation under the GDPR for data to be stored in the EU and the rules regarding transfer of personal data outside the EU will not change. This means that, as long as the personal data is “adequately protected”, data may be transferred abroad. For example, the EU has prepared a list of countries which they deem to provide an adequate standard of protection (known as “white listed countries”), so it is permissible to transfer data to those countries. Where a country is not on that EU list (for example, the USA), the controller must rely on use of approved contractual provisions (e.g. the Model Clauses or Corporate Binding Rules) or one of the other alternative measures, provided for in Law, such as the Privacy Shield certification.
Here is a list of additional resources for your convenience:
- The Irish Data Protection Commissioner’s GDPR website
- Guidance from the German Federal Commissioner for Data Protections’ on the GDPR here
- Blue Label weekly Magazine ’s Data Privacy Resourcespage
- EU Data Protection Supervisor here
- Blue Label weekly Magazine ’s Security Program page
- Find your Supervisory Authority here
- Full text of the GDPR here
- Full text of the GDPR in German here
- The EU’s GDPR website