General data protection regulation (GDPR): from prior formalities logic to compliance logic
1 – Introduction
The General data protection regulation (GDPR) constitutes the new European reference text for personal data protection automated or not.
2 – The legal context
The regulation (EU) 2016/679 of 27 April 2016 related to the protection of individuals with regard to the processing of personal data and on the free movement of such data, replaces the directive 95/46/CE (general data protection regulation) and the French law of 6 January 1978 (Law on computer technology and freedom) amended in 2004 and 2016 will be adapted to this new text.
The text will be directly applicable on the entire European Union. The text entered into force on 24 May 2016 for implementation on 25 May 2018.
3 – Objectives
The purpose of this regulation is to:
- Adapt to the new digital realities and face the new technological challenges (Big Data, social networks, cloud computing, internet of things)
- Strengthen people rights : access rights, right to erasure (right to be forgotten), right to restriction of processing, right to data portability, right to restriction of profiling and automated decision making
- Make accountable the actors processing data
- Harmonise the rules for the protection of data within the EU
- Provide a high level of protection for all the EU citizens
- Provide individuals with rights related to their personal data
- Give back to the citizens the control of their personal data.
4 – Who is concerned by this regulation?
- Every organisation established on the EU territory, and which collects data on people living in one of the European union countries
- Data controllers established on the European Union territory.
- Data processors established on the EU territory (Service providers in SaaS mode and hosting providers).
5 – The regulation key points
- Data processors assume now responsibility on data protection.
- The regulation imposes limited data conservation.
- The consent of the concerned person is the basis for data processing.
- The regulation applies on companies established outside the European union which process data related to activities of organisations and residents of the EU (article 3).
- The « Privacy by design» principle which imposes on organisations to take into account the requirements related to personal data protection upon the design of products, services and systems using personal data
- Significant financial sanctions from the supervisory authority in case of non-compliance with this regulation.
6 – The rights granted to the data subject
The European regulation grants to the individual ten rights related to his personal data:
- Access rights of the data subject
- Control rights : companies and organisations must grant the citizens more control on their private data (article 7).
- Right to information : data processing controller must notify the data subject when he wants to orient the processing towards new purposes (articles 13 and 14)
- Rectification right: the data subject has the right to get from the data controller, as soon as possible, a rectification of personal data related to him and which are inaccurate
- Right to erasure (also called «right to be forgotten»): the data subject has the right to get from the processing controller the erasure, as soon as possible, of personal data related to him and the processing controller has the obligation to erase these personal data as soon as possible for 6 reasons (article 17).
- Access right of the data subject
- Right to data portability: a person can recuperate the data that he has provided and to transfer them to a third party (article 20)
- Right to be informed in case of data hacking (article 34)
- Right for moral or material damages reparation after a breach of this regulation
- Right for personal data processing restriction.
7 – Obligations of organisations
The new measures impose new obligations on organizations dealing with personal data:
- Obtain a clear and explicit consent of the person regarding the use of his or her personal data (written or electronic declaration (tick one))
- Ensure that data processing is in conformity with the regulation (Accountability)
- Prove the consent of the person when the processing is based on the consent of the data subject
- Secure the processing they get
- Adapt existing tools and obligation to implement technical and organizational measures in order to guarantee a level of safety adapted to risk (Article 32).
8 – Compliance tools
To justify the conformity of their data processing, data controllers and processors will have to install new tools: maintenance of a processing register, processing certification, codes of conduct, impact studies, implementation of privacy by design and privacy by default and designation of a Data Protection Officer (DPO)
9 – Calendar
The General Data Protection Regulation must be applied throughout the European Union as of 25 may 2018.
No transposition into national law, the text is directly applicable in the EU Member States.
10 – Sanctions
In case of non-compliance, penalties may be up to € 20 million or 4% of annual global turnover.
11 – Lexicon
– Personal data: Any information relating to an identified or identifiable individual (location data, online identifiers, cookies, IP address are considered personal data)
– DPD: Délégué à la protection des données
– DPO: Data protection officer
– Privacy by Design: Protection of privacy from the IS design or development
– Privacy by Default: Privacy protection by default during processing
– Profiling: Behaviour monitoring