The GDPR: What’s new for data protection in 2018 and beyond?

By Templafy | 20. February 2018

All blog posts

After four years in the pipeline, the EU General Data Protection Regulation (GDPR) will come into force on 25 May 2018. The GDPR is the most significant data protection reform of the last 20 years, replacing the existing Data Protection Directive (DPD) of 1995.

But what do the changes to the data protection regulations in 2018 actually mean for enterprises inside and outside the EU? And how does the GDPR affect Templafy users? Read on.

 

Download our GDPR Guide for free and learn what the new regulation means for companies inside and outside of EU:


     Download Guide     

 

The GDPR retains key principles seen in the DPD:

 

Lawfulness

Data must be processed lawfully, fairly and in a transparent manner.

Purpose limitation

Data must be collected for specified, explicit and legitimate purposes.

Data minimisation

Data should be limited to what is necessary.

Accuracy

Data should be accurate and up to date.

Storage limitation

Data should be kept for no longer than is necessary.

Integrity and confidentiality

Data should be protected by appropriate security measures.

Accountability

The company or person responsible for processing the data (known as the ‘data controller’) is accountable for compliance.

 

However, the GDPR is a far more comprehensive regime, which creates new challenges for companies.

 

More rights for “data subjects”

The GDPR emphasises individual control, as seen in new and enhanced rights for data subjects (the person whose data is being processed).

 

Right to data portability

The GDPR introduces the right for data subjects to receive their personal data in a structured, commonly used and machine-readable format. It also introduces the right to transmit that data to another data controller, when technically feasible. For example, an individual could request one social media platform to transmit their personal data to another. This right only applies where there was automated processing based on the performance of a contract or a data subject’s consent.

 

Right to erasure (the right to be forgotten)

The DPD contains the right to require a data controller to erase data when it was processed in a non-complying way. The GDPR strengthens this right and lists specific grounds when data must be erased, without undue delay. If a controller has made personal data public, reasonable steps must be taken to inform others processing the data that erasure has been requested.

 

Download our GDPR Guide for free and learn what the new regulation means for companies inside and outside of EU:


     Download Guide     

 

 

Reforms to the conditions for consent

As in the DPD, consent is a basis for the lawful processing of data. The DPD requires consent to be freely given, informed and to signify agreement. The GDPR adds further conditions that consent must be unambiguous and given by a statement or clear affirmative action.

 

The GDPR introduces strict parameters on what constitutes valid consent:

 

  • The burden is placed on data controllers to demonstrate that data subjects have consented to processing.
  • If the data subject’s consent is given in a written declaration concerning other matters, the consent must be presented in a distinguishable, intelligible and accessible form.
  • Data subjects have the right to withdraw consent at any time.
  • Consent is presumed not to be ‘freely given’ if it is obtained as an unnecessary condition for the performance of a contract.

 

Increased enforcement powers

New enforcement powers mean the GDPR has more teeth. For the first time, data protection authorities have the power to impose fines.

 

Depending on the provision infringed, the maximum fine is:

 

  • €10 million or, in the case of an undertaking, up to 2% of total worldwide annual turnover of the preceding financial year (whichever is higher)or

 

  • €20 million, or in the case of an undertaking, up to 4% of total worldwide annual turnover of the preceding financial year (whichever is higher).

 

The term ‘undertaking’ is not defined in the GDPR, but is to be interpreted in accordance with Articles 101 and 102 of the Treaty on the Functioning of the European Union. This interpretation of ‘undertaking’ may capture corporate groups, resulting in the group’s annual total turnover being used as the basis for calculating a fine.

 

Relevant factors for determining the appropriate fine are:

 

  • the nature, gravity and duration of the infringement
  • whether the infringement was intentional or negligent
  • actions taken to mitigate the damage caused by the infringement
  • the degree of responsibility of the infringing entity
  • any previous infringements
  • whether the infringing entity notified the relevant data protection authority and cooperated to mitigate the effectsand
  • the categories of personal data affected (for example, whether sensitive personal data is involved).

 

The GDPR imposes a new obligation on data controllers to inform the relevant authority of any data breach within 72 hours. Where a data breach is likely to impact rights and freedoms, data subjects must be notified without undue delay. Failure to do so could result in a fine. Where there is only a minor infringement, a reprimand may be issued instead of a fine.

 

Data protection authorities have additional broad investigatory and corrective powers, including obtaining information from data controllers, imposing bans on processing and suspending international data flows.

 

Brexit will not be an excuse for UK companies to avoid enforcement action. The UK government has confirmed that it will implement the GDPR, which will have the force of law in the UK from 25 May 2018. The fate of the GDPR after Brexit is an open question.

 

Download our GDPR Guide for free and learn what the new regulation means for companies inside and outside of EU:


     Download Guide     

 

 

Extraterritorial application of the GDPR – broadened reach

The GDPR broadens the explicit reach of data protection efforts in an attempt to remove ambiguity over cross-jurisdictional instances of data breaches. Read on to learn more about what this means for entities within and outside of the EU:
 
Entities established in the EU

The GDPR codifies existing case law that the EU data protection regime applies to processing conducted ‘in the context of the activities of an establishment of a controller or processor’ in the EU, regardless of whether the processing takes place in the EU. This convoluted approach brings certain external processing within the EU data protection regime.

 

For example, in the Google Spain case, the Court of Justice of the European Union held that search engine processing by Google Inc. in the US was conducted in the context of advertising activities conducted by Google Spain.

 

Entities established outside the EU

The GDPR goes further by expanding its application to data controllers and processers established outside the EU, where data processing is related to:

 

  • the offering of goods or services to data subjects in the EU (regardless of whether payment is required)or
  • monitoring the behaviour within the EU.

 

The focus on the data subject’s location within the EU significantly expands the potential for non-EU companies to be caught by the EU regime. For example, non-EU companies who monitor or collect data online from users within the EU may be brought within the ambit of the GDPR.

This extraterritorial application means that the GDPR will remain relevant in the UK, regardless of the outcome of Brexit.

 

Coordinated response to cross-border processing

Data protection authorities currently lack the power to enforce coordinated responses to cross-border complaints. The GDPR establishes a new system for consistently dealing with cross-border data protection issues:

 

  • Cross-border complaints are handled by one lead authority, cooperating with other concerned authorities.
  • Determination of the lead authority is based on the location of the main establishment of the relevant data controller or processor.
  • The European Data Protection Board is established, comprised of one member from each EU data protection authority. This Board can issue legally binding decisions where there is a dispute over the identification of the lead authority or decisions made by that authority.

 

Data controllers should be aware that their ‘main establishment’ is where certain key decisions about data processing are made – this may not be the place of the company’s central administration.

 

Profiling confirmed as a data protection problem

The DPD provides data subjects with certain rights not to be subject to automated processing, but the GDPR explicitly states that automated processing includes profiling. In fact, there are over 20 references in the GDPR to profiling, indicating that it may be an enforcement priority for authorities.

 

The GDPR’s definition of ‘profiling’ is:

‘any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.’

 

Data subjects have the right not to be subject to decisions based solely on automated processing, including profiling, which have legal or similarly significant effects. This right is limited as it does not apply where the processing was necessary for the performance of a contract, was authorised by law or was done with the consent of the data subject.

 

The agreed text of the GDPR can be found here.

 

Templafy and the GDPR

 

Templafy understands and agrees with the need for stronger Data Protection Regulation for Data Subjects.

 

Is the GDPR relevant for Templafy?

Certainly. Templafy is subject to the GDPR regulation for a number of reasons:

 

  • Templafy processes data in Microsoft Azure Data Centres located in EU Member States
  • Templafy processes and stores personal identifiable information on Data Subjects in living and working in EU Member States
  • Templafy is a Data Processor for Data Controllers (our customers) located in EU Member States

 

How does Templafy comply with GDPR?

We best describe that by answering how we relate to the core principles of the GDPR:

 

 

Lawfulness

We are aware of the specific legislation and has the mindset to fulfil our obligations to the legislation in a fair and transparent manner.

Purpose limitation

We collect data for the specified, explicit and legitimate purpose of fulfilling our obligations as data processor for the task laid out by contract with our customers (the Data Controllers)

Data minimisation

We only collect the data that are relevant in fulfilling the obligations for our customers. We do not do any profiling on our Data Subjects. We are transparent on which data we store and do not store what is defined as ‘Sensitive Personal Data’

Accuracy

Data are supplied by our Data Subjects and they have full transparency in data we store and the ability to keep the data up-to-date. We ensure integrity of data throughout our system.

Storage limitation

We only keep data on Data Subject until they are deleted by the Templafy customer they work for e.g. at leaving the company.

Integrity and confidentiality

We do anything possible to keep data confidential both by technology and processes. All data are encrypted at rest and in transit. Only a few highly trusted and background checked people have access to data.

Accountability

We stand accountable as Data Processor towards our customers (the Data Controllers) through a binding Data Processor Agreement which outlines how we must comply with the GDPR.

 

Templafy’s use of Sub Processors

Templafy is hosted in Microsoft Azure Data Centres and running on Microsoft Azure Platform-as-a-Service. As Microsoft Azure are taking the highest measures in order to comply with the GDPR, Microsoft Azure is a cornerstone in our strategy to reduce risk and ensure compliance with the GDPR.

 

We use a number of Microsoft Services such as Application Insights and Power BI – and use other services for Error log communication to our development and support teams, but all personal data transferred on these services are obfuscated.

 

Templafy’s own infrastructure and processes

Templafy is running all of its own infrastructure on Microsoft Azure and Microsoft Office 365 and is benefitting from the GDPR compliance of these services. Our own processes are governed by a clearly defined Information Security Policy and Security Awareness Training programs are in place.

For more information on how Microsoft Services are a backbone for GDPR compliance, please read here.

 
 

Download our GDPR Guide for free and learn what the new regulation means for companies inside and outside of EU:


     Download Guide     

 
 

What did you think about this post?

We'd love to hear your thoughts and questions: