Personal Data Protection – new provisions in 2018.

There are only 13 months left until the UE GDPR  Regulation (General Data Protection Regulation) enters into force and changes the situations of entities that process personal data. The regulation will apply to entities regardless of their size.

This change will provide serious sanctions for business entities that ineffectively protect personal data. It should be pointed out that penalties will not be small and they will be felt in both the public and private sectors. It is important that when a company has a branch in any other EU member country, the bodies of that country are authorized to verify if personal data is processed properly. Additionally,  they can impose penalties, among others, for the “lack of lack of applying sufficient organizational and technical measures commensurate with risks and threats to protect data processing, including lack of encryption”.

Penalties may be increased accordingly to 10..000 Euro and to 20.000.000 Euro, and in the case of firms, from 2% to 4% of worldwide turnover.

This is a challenge – for each organisation, including local governments. Today, it should be said, without exaggeration, that not much time is left and there is a lot of work to meet the requirements.

Legal basis

To repeat  the legal acts governing the concept of data processing. The Official Journal of the European Union of 4 May 2016 published the legal acts which comprise the complex reform of the personal data protection, i.e.

  • resolution of the European Parliament and European Council no. 2016/679 of 27April 2016 on the protection of individuals with regard to personal data processing and on free flow of such data, plus the repeal of Directive no. 95/46/WE (General Data Protection Regulation), hereinafter referred to as “the resolution”;
  • directive of the European Parliament and European Council no. 2016/680 of 27 April 2016 on the protection of individuals with regard to personal data processing by competent authorities for preventing crime, preparatory proceedings, detection and prosecution of criminal offences and imposition of penalties, on the free flow of such data plus the repeal of the framework decision of the European Council no. 2008/977/WSiSW, hereinafter referred to as “the directive”;

The resolution is intended to contribute to increase harmonization of law at the EU level. Being mandatory in all EU member states, the resolution will make running a business easier, clearer and less costly. It will also increase public trust for public and municipal sectors.

 

 

The most important provisions of the resolution:

  • definition of the concept of “sensitive data”. The definition includes racial or ethnic origin, political opinions, religious or philosophical beliefs, affiliation to labour unions, genetic data, biometric data allowing for personal identification, health data, data concerning sex life or sexual orientation;
  • better control for citizens of their personal data, for example, by strengthening the information duty, providing the right to transfer data or “the right to be forgotten”.

The regulations make it possible to seek information from the data administrator that it possesses about us, as well as receive data recorded in a universally used format and transfer this to another administrator without hindrance from the current administrator to whom this data was supplied (“right to transfer data”).  In the case of the “right to be forgotten”, the administrator of published data now has the duty to remove such data and take steps to inform other administrators processing this personal data,  that the person this data applies to, demands that administrators remove all links to such data, or copies of such personal data:

  • covered by European regulations in the scope of data protection, as well as non-EU organizations that offer their goods or services to the EU, or monitor the behaviour of internet users in this territory. This solution will guarantee uniform protection for persons in the EU territory regardless the origin of the entity that processes their data;
  • strengthening the protection of personal data conveyed from the EU territory to other states while accepting new legal instruments facilitating cross-border data transferability (i.e. binding corporate rules and standard contractual clauses);
  • reducing administrative workload, in particular by abolishing the obligation to notify data protection authorities in advance and introducing “approach based on risk assessment” according to which the regulatory burden will depend on the risk resulting from the data processing;
  • introducing an obligation of increased cooperation between domestic data protection bodies that will contribute to uniform application of data protection regulations in all EU states and help businesses operating in more than one member state. Cooperation based on unified regulations will contribute to effective use resources by these authorities and experience ;
  • introduction of a new function, so-called the European Data Protection Inspector that will replace the currently functioning Administrator of Information Security), who will be appointed in public entities and when the main activities of administrator or the data processing entity  is based on large scale data processing operations;
  • promoting mechanisms that increase protection of rights and liberties for individuals in relation to data processing by implementing appropriate technical and organisational measures that comply with the rule of including data protection in the design phase and with the rule of default data protection;
  • authorizing data protection authorities to impose fines for failure to comply with regulations of the directive, which should contribute to increased effectiveness of their application.

The Directive is directly linked to the draft resolution whose implementation will demand changes to the legal foundations of the national system for the protection of personal data.

Changes in national laws to implement the directive will result in subsequent changes to the national system for the protection of personal data.

Implementation

In the case of the resolution, it is not an act of legal harmonization as in the case of the directive, rather it is an instrument of legal unification in the territory of the EU.  The resolution is binding in its entirety and is directly applied in all member states by public and private sectors. A review and de facto change in regulations in the scope of personal data protection is necessary here.

In the case of the directive defining the means of implementation is left to a given member state. The main form of implementation in this case is the legal act (or rather several legal acts) and the changes will be simultaneously correlated.

The scale of changes is so big that it will be necessary to prepare a new personal data protection act with a set of enforcement acts.  Furthermore,  sector laws need to be reviewed. . Correlation for implementation of both EU regulations is so important because the directive implementation should be incorporated into the domestic legal system as much as possible and be precise enough to eliminate the necessity of consulting the content of the directive when applying domestic laws, contrary to the resolution which should be “adopted” by the domestic legal system minimally and its provisions should be the basic content in the regulated field.

What are the consequences for each public and private organization to avoid hiring a team of lawyers for analysing the content and relevant obligations? We should start right now!

What about the preparation time ?

According to the Article 99 par. 2 of the resolution – it takes effect on 25 May 2018.

In case of the directive, according to the Article 66 par. 1, the member states shall adopt and publish provisions by 6 May 2018 with the statutory, enforcement and administrative regulations necessary to implement this directive.

Increasing the possibility for control of personal data will contribute to increased trust for services provided by private and public entities. Feeling that personal data is protected in a better way, people will use applications and services of the information society more often and more willingly.