General Data Protection Regulation

 

GDPR

The EU’s new data protection regulation, known as the GDPR (General Data Protection Regulation), can impact your organisation significantly in the way it is handling personal data. Your organisation will not only be responsible for ensuring compliance with the regulation in terms of handling and protecting personal data, it could even be penalised for non-compliance and it will be liable for any damage resulting from data breaches. The General Data Protection wants to harmonise the data protection regulations throughout the EU and to strengthen and unify data protection. It addresses personal data security for EU citizens and individuals within the EU, but regulates also export of personal data outside the EU. The Commission’s primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The regulation was adopted on the 27th of April 2016. It enters into application on the 25th of May 2018 after a two year transition period and will replace the current data protection directive 95/46/EC from 1995. Unlike a directive, it does not require any enabling legislation to be passed by governments.

 
Concerns

 

  • Legal & Regulatory roles and obligations

  • Awareness (value, costs, risks, compliance, architecture)

  • Maturity and vision

  • Impact on business model

 GDPR regulation

 
Challenges 
 

The GDPR will supersede all current national data protection laws in the EU. Here is an overview of the main expected changes that organisations will have to be aware of and adapt to:

Expanded territorial reach

The GDPR applies to organisations and their subcontractors outside the EU. This means in practice that a company outside the EU, that is targeting consumers in the EU, will be subject to the GDPR.

Accountability and Privacy by Design

The GDPR makes organisations fully accountable for demonstrating compliance. This includes requiring them to document compliance, conduct data protection impact assessments for risky data processing and implement data protection by design and by default in their operational processes.

Consent

A data subject’s consent to processing his or her personal data must be given freely, and for sensitive data explicitly, either by a statement or a clear affirmative action stating agreement to the processing. Consent can be withdrawn at any moment. The organisation is required to be able to demonstrate that consent was given.

Data Breach Notification

Organisations must notify data breaches to the Data Privacy Authority. This must be done without delay and, where feasible, within 72 hours of awareness. A substantiated justification must be provided if this timeframe is not met. The organisation must notify the affected data subjects without delay when their data has been compromised.

Role of subcontractors

One of the key changes in the GDPR is that subcontractors have direct obligations. This includes implementing technical and organisational measures and notifying your organisation without delay of data breaches.

Sanctions

The GDPR establishes penalties for breach imposing fines for infringements of up to 4% of annual worldwide turnover on data breach and up to 2% of annual worldwide turnover on non-compliance.

Data Protection Officer (DPO)

In specific circumstances organisations or subcontractors must designate a Data Protection Officer. The DPO will need sufficient expert knowledge. The DPO may be employed or under a service contract.

Right to be forgotten

Individuals can require their personal data to be erased without undue delay by the organisation. A good example is where they withdraw consent and no other legal ground for processing applies.

 
 

In us they trust...

Contact us

Liège

t. +32(0)4 249 72 11

Brussels

t. +32(0)2 286 57 11

Send us a message

Partnerships & certifications