The new General Data Protection Regulation 2016/679 (GDPR) came into force in May 2016 and will be applicable as of 25 May 2018. In this transitory period, and even when the provisions of Directive 95/46 are still in force, as well as the corresponding national development standards, the party responsible for personal data treatment must prepare and adopt the necessary measures to be able to comply with the provisions of the new regulation at the time it is applicable.
The GDPR will apply to data controllers or processors established in the European Union, and extends to controllers and processors not established in the EU provided they handle data derived from an offer of goods or services for citizens of the EU.
One of the essential aspects of the GDPR is accountability. It is based on active prevention by data controllers and processors, who must adopt measures that reasonably ensure compliance with the new principles, rights and guarantees. Acting only when a violation has already occurred is not sufficient, given that it can cause damages to interested parties, which can be very difficult to compensate or amend. That is the reason why the GDPR foresees new measures to prevent potential damages to citizens: privacy by design and by default, records of processing activities, appointment of a Data Protection Officer (DPO), notification of personal data breaches, the right to erasure (a right to request the deletion of old data when they no longer meet a lawful purpose or if there is a withdrawal of consent) and the right to portability (a right to recover the data that was delivered to a party responsible for its treatment, at the time, in a format that allows it to be transferred to another party responsible for its treatment).
The former Directive 95/46 has proved not to be as effective as expected in order to ensure the data protection rights of European citizens, as it depended on national regulations being transposed, and so there was a diversity of criteria that not only affected data processing issues between countries inside the EU, but also made some of them more stricter than others. Going further, cases like Facebook vs Maximilian Schrems and the massive NSA surveillance system highlighted by the Edward Snowden revelations, provided evidence that a change was necessary.
This change generates new business opportunities not only for legal experts – who will have a leading role in the design and execution of legal clauses, guarantees and internal data rights policies – but also for IT professionals, who will need to readapt to offer new, ad hoc, technical designs. In addition, new roles such as the Data Protection Officer will create an opportunity to apply for jobs designed for legal experts with technical knowledge.
Aside from the need for data controllers to adapt their data protection systems, and the consequent expense and increase in use of resources, the change has been very positive as it has reinforced EU citizens’ rights regarding data and, in the end, will facilitate much more flexible internal structures for all those who need to handle personal data as part of their daily activity.
However, lawyers and businesses in Spain did not see a clear path with regard to how to implement most of the new regulations, as they introduced new concepts and did not specify others such as the technical measures. The GDPR will be directly applicable in EU countries – in this sense, the challenge will be to develop and detail national regulations that, while always respecting the principles of accountability and privacy by design and by default, contribute to a better understanding of the regulations and the practical implementation of the new concepts.
Mónica Liu is a manager in BDO Abogados. She can be reached at email@example.com