A New & Enhanced Data Protection Regulation, (GDPR) Is Around the Corner: How Ready Is Your Organisation?
The General Data Protection Regulation (‘GDPR’),due to come into effect on 25 May 2018, will provide a modernised, accountability-based compliance framework for data protection all over Europe.
Data Protection Officers (‘DPO’s) will be at the heart of this new legal framework for many organisations, facilitating compliance with the provisions of the GDPR.
Under the GDPR, it is mandatory for certain controllers and processors to designate a DPO. This will be the case for all public authorities and bodies (irrespective of what data they process), and for other organisations that - as a core activity - monitor individuals systematically and on a large scale, or that process special categories of personal data on a large scale.
One of the most significant changes in the GDPR is the requirement for controllers and processors to be able to demonstrate compliance with the Regulation. As the Working Party (WP) 29 puts it, the DPO is “a cornerstone” of this principle of “accountability”.
‘Core activities’ can be considered as the key operations to achieve the controller’s or processor’s objectives.
Regular and systematic monitoring of data subjects ... clearly includes all forms of tracking and profiling on the internet, including for the purposes of behavioural advertising. However, the notion of monitoring is not restricted to the online environment.
Factors to be considered when deciding whether processing is “large scale” include the number of data subjects, the volume & range of data, duration of data processing and geographical extent of data processing. A simple example given is the processing of healthcare related data by an individual doctor (not large scale), or by a hospital (large scale).
The WP29 goes on to recommend that, unless a DPO is obviously not required, controllers and processors should document the analysis and process leading to their decisions whether or not to appoint a DPO.
DPOs may be appointed on a voluntary basis, but where they are, the same GDPR requirements regarding their designation, role and tasks will apply as to mandatory DPO appointments. Therefore, where organisations don’t appoint a DPO but do, as they may, assign data protection related tasks to their staff or external consultants, it should be made clear internally and externally that such staff or consultants are not DPOs.
Big changes are coming, and many organisations are understandably on edge. This is the time to get prepared for the implementation of the new regulation.
The top three concerns for many organisations about the GDPR will most likely be:
- Tougher financial penalties for non-compliance
- Accountability requirements (Audits, breach incident reporting, risk impact assessments)
- New consent conditions.