The application of the General Data Protection Regulation (“GDPR”), in force since 25 May 2018, will oblige companies to deal with issues concerning IT security and liability for collection and storage of personal data, without the possibility of any further hesitation. Privacy protection will become an important part of corporate culture and will have to be necessarily managed from the top levels, i.e. the managing director as well as the management team. Employees will also be involved in this awareness process through adequate training on such matter. Companies should set forth order and priorities of some data-related procedures, in accordance with privacy by design and privacy by default principles. In other words, such companies should ensure data protection from the onset of the product phase or service ideation and design, opting for behaviors that are aimed to prevent possible issues affecting personal data.
An even wider definition of personal data
The concept of “personal data” refers to all the information that identifies or makes a person identifiable and provides details related to his/her features, habits, life-style, personal relationships, health and economic conditions. Also, the definition of “personal data” becomes even wider and more well-structured when considering electronic communications with new technologies including geolocation bearing significant weight.
This transition, certainly problematic, introduces new challenges and opportunities, and highlights the question of data protection as a fundamental human right at the center of the international debate and digital policies. This results in a significant turning point. In fact, digitalization has caused several information security issues, which until a few years ago could be handled by national authorities in each single EU country, and now require a more focused and structured legal framework. The induction of platforms such as SaaS (Software as a Service) and the cloud computing growth have completely changed the scenario.
Therefore, the European Data Protection Supervisor (EDPS) positively dealt with the request to reform the legal framework on personal data protection in 2011, since the existing legislation was no longer appropriate.
Even though it is way too early to predict the impact of such privacy regulation, we believe that it is interesting to focus on certain general considerations and some of the GDPR’s outcomes in the international scenario.
The potential applicability of the GDPR worldwide
Certainly, one of the important changes brought about by the GDPR is its potential applicability worldwide: the regulation thus overcomes European borders in the name of personal data protection.
Such regulation, in fact, not only applies to all cases where data are handled by EU based companies, but in all cases where a company, even though not EU based, also deals with EU based individuals’ personal data, within the scope to offer them goods or services or to monitor their behavior in the EU.
Consequently, in the light of the above, all foreign companies still pursuing to offer and provide their services to EU-citizens cannot avoid complying with the GDPR.
Furthermore, even UK organizations may be forced to comply with the regulation to protect UK citizens’ personal data and maintain their competitiveness in the EU market, for reasons of opportunity and convenience, apart from compulsoriness as above described and, in any case, for as long as Brexit does not materialize.
The lack of connection with the data location
The regulation not only limits foreign companies that deal with EU citizens’ personal data, but also aims to govern all the processing of personal data, irrespective of the place where such data are located. It therefore provides that all the personal data processing made by EU based companies will be subject to the GDPR, regardless of the fact whether such processing is carried out within or outside the EU.
From a legal point of view, such data will be in the spotlight and subjected to this new regulation rather than to national laws. This means that the physical position loses relevance before the aim to grant interested individuals with a greater control on the information that is collected, processed and used by third parties.
For sure companies may stop their business with EU citizens in order to avoid compliance with the GDPR principles, but such choice should be correctly made: i.e. the GDPR’s application should be taken into account when a company provides a web service which is available also to EU citizens.
The disposition of strict fines
The fines for companies that are not in compliance with such regulation can amount to up to 4% of their global revenue and up to Euro 20 million. The relevance of such measures drew attention of all the parties, particularly in the US where organizations have a strong presence in the EU. Furthermore, the GDPR applies to organizations of any dimension and to both individual enterprises as well as large companies.
The forward-looking companies started to set forth their compliance programs immediately after the EU regulation announcement, but this appears complex and as a result meeting the set deadline called for 25 May could be difficult.
According to PwC’s reports, 9% of US companies declare to have allocated more than 10 million dollars with the aim to obtain such compliance.
Some compliance requirements for companies
- Accountability principle: data processing needs to be carried out by recorded procedures, regardless of the fact that such procedures will be managed by the companies or by third parties on their behalf. Doing so will make the data controller responsible and oblige him to be compliant with the GDPR.
- Risk based approach: the driving force of such a regulation is the aim to make companies responsible, which are therefore asked to comply with the GDPR principles by adopting a new risk based approach and risks assessment.
- Clear and concise consent: much attention is paid to the consent of personal data processing, which should be clear, concise, distinguishable and unequivocal.
- Data protection by design and by default: privacy management and implementation executed by means of default settings since the design phase; it means that companies should take into account the personal data protection, from the beginning a product, service or app is designed and developed.
- Right to be forgotten: individuals are entitled to obtain, without delay, that their data is deleted by the data controller when certain conditions- provided by the GDPR -are met, such as for example when data become redundant and no longer necessary, or regarding the aims for which data have been collected or in the event when the individual’s consent is withdrawn.
- Right to data portability: individuals are entitled to receive their personal data in a frequently-used, well-structured and machine-readable format, so as to transfer such data to another data controller, excluding any possible encumbrance by the former data controller.
- Appointment of an EU Representative: the Representative should act on behalf of the data controller or the data processor and may be questioned by any surveillance Authority.
How to make the transition process easier?
The EU regulation relating to personal data protection requires a strong legal formation and, at the same time, tremendous technical implementation skills on the basis of the ongoing digitalization processes and use of even more innovative and complex technologies.
In such regard, companies may rely on professionals who are able to provide multidisciplinary services and consultancy, not only of a legal and IT nature, but who can exchange and implement synergies between professionals and business workers such as engineers and mathematicians.
Consequently, this burdensome commitment to follow the GDPR together with the obligation to comply with the law shall also enable companies to combine the aforesaid skills and join forces to commence a transition process that will ensure and ultimately result in growth.
The author of this post is Giorgio Piccolotto