Why you should know about the GDPR
Across Europe, there is a frenzy as companies take steps to be compliant with the General Data Protection Regulation before the deadline of 25th May 2018. If you are a company that processes the data of EU residents, even though you are located outside the European Union, the Regulation (together with the substantial penalties for non-compliance) may apply to you.
The General Data Protection Regulation is widely considered the most significant development in privacy law for almost 20 years. It sets out to harmonise the individual data protection and privacy regimes across the Union, so that data can move freely between member states. Previously, disparate individual member state rules meant that cross-border transfers of personal data required the companies involved to enter contracts mandating each other to comply with their local legislation, adding layers of legal and operational costs. The harmonisation of privacy standards is thus expected to save companies billions.
While it will now be possible for personal data to move more freely between member states, the GDPR introduces a robust suite of safeguards to protect individual citizens. Personal data previously was limited in most jurisdictions to information that could directly identify an individual. The GDPR now expands the definition to information that can be used indirectly or in combination with other sets of information to identify an individual. Organisations must ensure that personal data is processed lawfully and transparently, that processed data is proportionate to the purpose for which it is required, that it is only retained for as long as is necessary and deleted afterwards and in a way which ensures the security of the data being processed. There is also a mandatory requirement to report data breaches (i.e. unauthorised access, loss, distribution, etc.) to the individuals affected and the regulator.
As previously stated, it purports to apply to organisations outside the EU if they process the data of EU residents. Therefore, it could potentially be relevant to mobile network operators (think roaming & interconnection arrangements), internet-based services (think media streaming companies) and financial services providers (think banks or card payment processing companies) based in Nigeria. Data controllers and data processors must be able demonstrate compliance with the GDPR and regulators have the power to levy fines of up to the greater of EUR20 million or 4% of the company’s annual turnover. Even though many experts think it could be a challenge to assert jurisdiction outside the EU, business organisations would be wise to consider how much of an impact either being proscribed from doing business in the EU, or worse, local courts upholding the EU’s jurisdiction locally, could have on their businesses.
From a national policy perspective, as increasing amounts of personal data are being processed by various organisations, the matter of a federal data protection law is worth revisiting. There is no legislation for data protection outside the sectoral regulations one may find in telecommunications or banking, for example. The various federal agencies that collect and process our biometric information do so in the absence of any law prescribing how the data is to be handled. Quite rightly, people are becoming alarmed at how many different agencies they give their personal data to, with the question frequently asked why these agencies are not wired to share or centralise their databases. Each new database presents a point of vulnerability for the data subjects concerned and anyone in consumer marketing would tell you about the numerous databases publicly available for sale, usually sortable by gender and location. These breaches continue to happen, with next to no consequences.
As private citizens, we should all be concerned about the protection of our personal data, firstly because our federal constitution declares that, “the privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected.” We have a fundamental right to privacy. In an increasingly connected world, with the Internet of Things meaning that we each have a growing list of unique data identifiers, the risks of identity theft, stolen intellectual property and financial losses, to name a few, must be assessed and steps taken to mitigate them. Individually, we can all take measures such as using more secure passwords and locking our devices when they are not in use. However, these are nowhere near as effective as legislation prescribing safeguards and measures for the organisations who hold our personal data.
If you are such an organisation, here’s another reminder that if you undertake the processing (i.e. collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction) of the personal data of people resident in the EU, you might want to give your privacy lawyers a call.
No Comments yet