The GDPR will enter into force on 25 May 2018, repealing the current 1995 Data Protection Directive. The GDPR will ensure higher protection of personal and sensitive data, while also introducing new concepts, such as privacy by design, which will allow companies to develop their own privacy policies as long as they comply with GDPR.

What happens next

The General Data Protection Regulation – or GDPR – was adopted by the European Parliament in April 2016 and will be effective as of 25 May 2018 in the whole of the European Union. Once the GDPR is in effect, the current Data Protection Directive 95/46/EC (DPD) is repealed. Being in the form of a regulation, the GDPR has direct effect in each Member State’s legislation, without requiring implementation into national law (like, for an instance, a Directive). Nonetheless, GDPR does not achieve full harmonisation of data protection law across the EU. In order to accommodate certain existing national specificities, Member States can add or modify certain provisions of the GDPR with a view to fitting their local needs and laws. This provides them certain flexibility. In total, there are over 50 provisions which allow GDPR derogations by Member States. Derogations will be allowed for the purposes of national security, prevention and detection of crime and in certain other situations.  In addition, the Commission will have the power to make delegated acts to clarify certain aspects of the regulation. Therefore, some discrepancies at national level will inevitably remain, however they will be kept to a minimum in order to avoid forum shopping.

Main changes

Core rules are the same as the DPD. The Regulation applies to the processing of personal data by a controller or a processor. The Regulation retains a broad definition of personal data and processing. Personal data covers all the information relating to an identified or identifiable natural person, including IP addresses, cookie identifiers, automated personal data and can also encompass pseudonymised data if a person can be identified from it. Sensitive data includes personal data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sexual life or sexual orientation.

The Regulation only applies to personal data if it is processed wholly or partly by automated means or is part of a sophisticated hard copy filing system. One of the biggest differences from the DPD is the principle of “accountability” and the requirement for data controllers to “be responsible for, and to be able to demonstrate compliance” with the principles relating to processing of personal data. Privacy by design enables companies to take all the appropriate technical and organizational measures in order to ensure data protection a priori. This  implies for organizations to consider and elaborate data protection processes before proceeding to any data collection.

All companies processing data and having more than 250 employees must appoint a Data Protection Officer or DPO. The DPO position requires solid expertise when it comes to data protection practices and legal framework. The DPO will report directly to the company’s management. The GDPR provides for certain rules aimed at avoiding the DPO’s dismissal for reasons related to GDPR compliance. Member States have discretion to enact national provisions imposing further requirements regarding the appointment of DPOs.

One of the big topics of the GDPR is consent and the need to prove that it has been obtained. Consent needs to be completely unambiguous and the GDPR explicitly bans pre-ticked opt in boxes (in other words, there are no more possibilities for “opt-out” options). Data subjects can withdraw their consent at any time. There is no more possibility of “bundle consent”: where different processing activities are taking place, consent is presumed not to be valid unless the individual can consent separately.

Breaches must be reported to the relevant regulator without undue delay and, where feasible, within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk for the rights and freedoms of individuals. Data subjects must be informed without undue delay where the breach is likely to result in a high risk to the data subject’s rights and freedoms, unless the data has been rendered unintelligible to any third party (for example by encryption). If the data controller has taken steps to ensure that the high risk is unlikely to materialise or it would involve disproportionate effort to inform data subjects individually, a public announcement can be made.

Organisations will be regulated by a single data regulator in the place of their main establishment. The main establishment will be the main administrative location in the EU or the Member States where the main decisions about data processing are taken.

The GDPR introduces two levels of fines.

  1. Up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. This will be considered according to Article 83(4) of the GDPR.
  2. Up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. This will be considered for infringements covered in Article 83(5) of the GDPR.

Fines will be considered on a case by case basis and will depend on issues like how much intentional or negligent the infringement was; the measures that the company has taken in order to mitigate the damages; any previous infringements; cooperation with authorities and the nature of the data affected.

What GDPR means for startups?

Many start-ups and tech business are SMEs with a small number of workers that does not exceed the GDPR threshold. Nonetheless, if processing data is a core activity, the start-up must appoint a DPO, for example an existing member of staff, as long as there is no conflict of interest with his/her current role. There is no need for formal training or qualifications in order to be a DPO, but he/she “must be appointed on the basis of professional qualities and, in particular, expert knowledge on data protection law and practices”.

Once a DPOr is in place, it is important to identify the specific privacy risks which the organisations is exposed to and how these risks can be mitigated or avoided. Organisations will be required to carry out data protection impact assessments (DPIAs) if their proposed activities are likely to result in a high risk for the rights and freedoms of individuals; in particular, through the use of new technologies and in cases of people profiling.

This exercise should take the form of a data mapping exercise, resulting in the collection of the information set out in Article 30 GDPR, which requires data controllers and processors to maintain a record of processing activities, including:

  • name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
  • purposes of the processing;
  • a description of the categories of data subjects and of the categories of personal data;
  • categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
  • where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and the documentation of suitable safeguards;
  • where possible, the envisaged time limits for erasure of the different categories of data;
  • where possible, a general description of the technical and organisational security measures in place to safeguard the data.

If customer support is outsourced, the outsourced company will be the data processor which stores and uses the customer data provided. The outsourced company will be in charge of the data compliance mentioned above.  In case of outsourcing, consideration should also be given to the contracting process and the life cycle of the relationship with the data processor. All data processing contracts must contain the minimum provisions as set out in Article 28, which includes, among others, scope, nature and purpose of processing, duration of the processing, and types of personal data and categories of data subjects.

Start-ups which already comply with the current DPD must review their current policies, in order to verify whether they comply with the new provisions, especially concerning privacy notices, consent and accountability. Independent testing and quality assurance frameworks should be established to ensure that data protection processes and procedures are being adhered to.

Opportunities arising from GDPR

The new GDPR strives for simplification: it is sufficient for companies to be registered in the Member State of establishment. This means, that they will have to interact only with the data protection authority of the Member State chosen as their State of main establishment. In addition, while the GDPR does not provide for full harmonisation, it nonetheless creates a more consistent approach across the EU, reducing uncertainty and eliminating the need to comply with different national rules. The principles underpinning the GDPR will be applied and enforced consistently throughout the EU.

For organisations which are naturally prone to innovation, concepts such as privacy by design, profiling and data portability provide the opportunity not only to innovate, but also to build customers’ trust and confidence. The ultimate purpose of the GDPR is to protect the data subject as well as to increase their trust towards the companies complying with the EU rules. These rules grant a higher level of protection compared to other jurisdictions. Ultimately, this can result in a competitive advantage for the EU companies.

Simona Frazzani is a Senior Associate at the Brussels’ office of Grimaldi Studio Legale. She advises both private clients and public institutions on EU legislation related to innovative technologies, collaborative economy, digital platforms, consumer protection, passenger rights, and transport regulation.

With offices in Milan, Rome, Bari, Brussels, London and Lugano, 37 partners and more than 150 lawyers, Grimaldi Studio Legale is recognized for its quality and business approach. With a complete and diversified legal expertise, the Firm advises Italian and International clients. Thanks to the diversified skills and knowledge of its teams of dedicated lawyers, the Firm assists its clients in a seamless manner on ground breaking. The Firm has also received recognition in all the main trade publications for the quality of its service and the calibre of its lawyers. For more information www.grimaldilex.com