PPB January 2018

referred to as the ‘right to be forgotten,’ and prompts the obligation to erase personal data without delay. • Under the GPDR, personal data must be removed when the data is no longer needed for the original purpose, when there are no other reasons for processing or when the individual withdraws consent. The right to restriction of processing requires companies to suspend further use while allowing existing data to continue to be stored. (Newunder GDPR.) The right to data portability allows individuals to obtain all records of previously-consented-to personal data held by the company and give it to an entity of their choosing. Data controllers must provide this information free of charge and without delay. (New under GDPR.) Consent Under the GDPR, consent must be freely given, informed and revocable. The GDPR expressly states that where there is an imbalance of power between the party giving consent and the party receiving it, consent is not valid. Consent should be evidenced by a statement or affirmative conduct to clearly indicate the purpose in context. Companies may now no longer use one statement of consent to allow the data collected to be used in multiple ways; consent must be sought for each reason the company proposes to use the data. Consent must be active. Companies cannot rely on silence, inactivity or consent given prior to changes in policy. In addition, statements of consent cannot be bundled with other statements, such as the terms of use, or posting a link to a company’s privacy policy. If you have offices in the EU, you will need to review your employment policies. The burden is on the employer to show that the employee gave adequate consent. Figure 1. AT A GLANCE: Key Changes Introduced By The GDPR The GDPR transforms a number of existing requirements and introduces a host of new ones that are likely to require significant changes in the way data is managed throughout a company. NAME DATA PROTECTION DIRECTIVE (DPD) Directive 95/46/EC GENERAL DATA PROTECTION REGULATION (GDPR) Regulation (EU) 2016/679 NUMBER OF CHAPTERS; ARTICLES VII; 34 XI; 99 OBJECTIVE Safeguard free movement of personal data through a common market Revise a legal framework that could cope with future data processing and privacy challenges. Repeals Directive 95/46/EC. LEGISLATION EFFECT Enabling legislation; varying regulations in EU countries Binding regulation; directly enforceable in all EU countries GEOGRAPHIC REACH Applies when equipment for processing is situated on member state territory Applies when data subject is an EU resident LIABILITY Only data controllers held liable Both data controller and data processors are liable DEFINITIONS The definition of ‘personal data’ includes: • Name • Photo • Email Address • Phone Number • Address • Personal Identification Numbers The definition of ‘personal data’ extended to include: • IP Addresses • Mobile Device Identifiers • Geolocation • Biometric Data • Psychological Identity • Genetic Identity • Economic Status • Cultural Identity • Social Identity RIGHTS Data subjects granted: the right of access the right to erasure (“be forgotten”) the right to object the right to rectification Data subject rights extended to include: the right to restriction of processing the right to data portability CONSENT Potential to rely on ‘implicit’ consent depending on jurisdiction Required to gain unambiguous consent (i.e. explicit) TRANSPARENCY No requirement to maintain personal information inventory Organizations will need a personal information inventory DATA PROTECTION OFFICER (DPO) Voluntary DPO regime DPO must be appointed when core activities involve regular and systematic monitoring of data subjects on a large scale ENFORCEMENT Supervisory authorities (SAs) have limited powers under national law SAs will be given a wider range of authority FINES Fines vary by jurisdiction Regulators can impose fines up to €20 million (roughly $23.5 million) or four percent of a company’s global annual income, whichever is higher BREACH NOTIFICATION No obligation to report breach DPO required to report breach within 72 hours Source: www.eugdpr.org/key-changes.html FEATURE | Data Redefined 86 | JANUARY 2018 |