Filletti & Filletti Advocates is a leading law firm based in Malta offering a wide range of legal services.
GDPR - A Data Privacy Compliance Overview
Filletti & Filletti Advocates
Introducing the GDPR
Following years of discussion, Regulation 2016/679, which is better known as the ‘General Data Protection Regulation’ or ‘GDPR’, was enacted by both the European Parliament and by the Council of the European Union.
The main aims and functions of the newly adopted GDPR are to:
Currently, data protection in enforced throughout the EU via the Data Protection Directive 95/46/EC, also known as ‘DPD’. Each member state implemented the DPD in their own distinct way with the unfortunate result of having divergent, and at times, conflicting rights across various EU member states.
Following the 25th of May 2018, the GDPR will come into effect. As a result:
In practice this means that the current legislation with regards to Data Protection will be repealed and replaced by the GDPR on the 25th of May 2018.
You may at this point ask, “How does this affect me and my business? What are my envisaged obligations in terms of the GDPR?”
The GPDR shall have various effects on the sphere of data protection legislation and it shall have also tangible effects on the daily running of your business. The most important ways the GDPR could affect your business is due to its:
Increased Territorial Scope
Possibly the most significant change to the data privacy implementation is the extended jurisdiction of the GDPR. This is due to the fact that the GDPR will be applicable to all companies processing personal data of data subjects residing in the EU, regardless of the company’s location.
Therefore, the fact that an organisation is based outside the territorial borders of the EU is irrelevant if said organisation processes data of residents of the EU. On the contrary, such an organisation would be obliged to appoint a representative to this effect within the EU.
Increased Data Subject Rights
Organisations will have to grant data subjects access to any personal data held by them. This should be done by giving the data subject a readable and easily accessible copy of all personal data held by the organisation.
Organisations must also implement the right of a data subject to be forgotten. Personal data must be erased in cases where the data subject revokes his or her consent or when said data is no longer needed for its original purpose.
Privacy by Design
Organisations must have data protection as a corner stone of any design of business systems. Therefore, data protection must not be seen as an afterthought to a project but as an essential part of the foundations.
The concept of consent is cardinal to the GDPR. The days of interminable terms and conditions littered with unintelligible clause are over. Terms and conditions must be concise and understandable by the common user.
The GDPR also obliges organisations to provide data subjects with an easily accessible method of withdrawing ones consent should they wish to do so.
Data Breach Notification
Following the 25th of May 2018, should an organisation suffer a serious data breach which is highly likely to “result in a risk for the rights and freedoms of individuals”, they will be obliged to immediately notify the Data Protection Commissioner within 3 days from becoming aware of said breach.
In cases of high risk breaches the GDPR also obliges the organisation that suffered such a breach, to inform the data subjects concerned.
Any organisation found to be in breach of the GDPR can be liable to an administrative fine of up to €20,000,000 or 4% of its annual global turnover, whichever is greater.
This excludes any civil claims that a data subject may institute against said organisation making any breach possibly even more expensive for any organisation that may be found to be in breach of the GDPR.
We at Filletti & Filletti Advocates understand that this reform is far reaching and game-changing. That is precisely where we come in. We are available to discuss any of the queries you may have with regards to the GDPR, and to guide you through this seemingly interminable maze that is the GDPR with the ultimate objective of ensuring your Data Protection compliance.