Upload
others
View
9
Download
0
Embed Size (px)
Citation preview
ThecontentofthisRegulatoryUpdateisofgeneralinterestandisnotintendedtoapplytospecificcircumstances.Itdoesnotpurporttobeacomprehensiveanalysisofallmattersrelevanttoitssubjectmatter.Thecontentshouldnot,therefore,beregardedasconstitutinglegaladviceandnotberelieduponassuch.Inrelationtoanyparticularproblemwhichtheymayhave,readersareadvisedtoseekspecificadvice.Further,thelawmayhavechangedsincefirstpublicationandthereaderiscautionedaccordingly.ContainspublicsectorinformationpublishedbyGOV.UKandlicensedundertheOpenGovernmentLicencev3.0.Design@2016Zywave,Inc.Allrightsreserved.
EUGeneralDataProtectionRegulationProvidedbyPeterLoleInsuranceBrokers
EUDataProtectionReformTheEU’snewdataprotectionreformwaspublishedon4thMay2016.Thenewrulesbecomeapplicableon25thMay2018.Becauseofhowtherulesaresetup,memberstatesarenotrequiredtoadoptlocallawstoincorporatethenewdataprotectionrequirementsintodomesticlegislation.
TheEUenactedtheserulestocreateuniformdataprotectionrulesforallmemberstates.Initsview,aunifiedsetofrulesandstandardswouldallowEUcitizensmorecontrolovertheirpersonalinformation.OrganisationsthattradeintheEU,whetherbasedthereornot,mustcomplywiththeserulesinregardstoprocessingthedataoftheirEUcustomers.
Thenewrulesupdateandreplacethecurrentdataprotectionrules,whicharebasedonthe1995DataProtectionDirectiveandthe2008FrameworkDecisionforthepoliceandcriminaljusticesector.
Dataprotectionreformtakesplacethroughtwomajorinstruments:
• TheGeneralDataProtectionRegulation(GDPR);and
• TheDataProtectionDirective.
EnforcementAcompanythatfailstocomplywiththenewrulesbytheeffectivedatemaybesubjecttoafineofupto€20million,or4percentofthecompany’sglobalannualturnover.
TheGDPRTheGDPRenablesindividualstobettercontroltheirpersonaldata,regardlessofwherethisdataissent,storedorprocessed.
TheGDPRhasfourprovisionswhichprovide:
• Individualswithmoreaccesstotheirowndata—individualswillhavemoreinformationonhowtheirdataisprocessed(thisinformationmustbeprovidedinaclearandunderstandableway);
• Arighttodataportability—bymakingiteasierforindividualstotransmittheirpersonaldatabetweenserviceproviders;
• A‘righttobeforgotten’—individualshavearighttohavetheirpersonaldataerasedifthereisnolegitimategroundforretainingthedata;and
• Individualswiththerighttoknowwhentheirinformationhasbeenhacked—bycreatinganobligationforthosewhogather,storeorprocesspersonaldatatonotifytheirrespectivenational
• Thedataprotectionrulesbecomeeffectiveon25thMay2018.
• Thenewrulesreplacethe1995and2008standardsanddirectives.
• Finesfornon-compliancecanbeupto€20millionor4percentofannualglobalturnover.
TheGDPRenablesindividualstobettercontroltheirpersonaldata,regardlessofwherethisdataissent,storedorprocessed.
supervisoryauthorityofanydatabreachesthatputthematrisk(notificationsshouldbegivenassoonaspossiblesothataffectedindividualscantakeappropriatemeasures).
ConsentandSpecificPurposeTheGDPR’s‘righttobeforgotten’istiedtotwomainconcepts—specificpurposeandconsent.
TheGDPRassumesthatwhenanindividualconsentstotheprocessingofhisorherpersonaldata,heorshedoessobecausethatdataisintendedfortheindividual’sbenefitorsomeotherspecificpurpose.
Forthisreason,individualshavearighttorequestthattheirpersonaldatabeerasedwhenprocessingthisdataisnolongerrequiredinordertomeetthespecificpurposeforwhichconsentwasgiven.
However,anindividual’srighttobeforgottenisnotabsolute.Datadoesnotneedtobeerasedifalegitimatepurposeremains.Legitimatepurposesincludefreedomofexpressionandscientificresearch.
Finally,theGDPRalsorecognisesthatacertainlevelofmaturityandunderstandingisrequiredinordertoprovideconsentforaspecificpurpose.Forthisreason,oneGDPRruleindicatesthatconsent,fortheprocessingofachild’spersonalinformation,mustbegivenbywhoeverholdsthatchild’sparentalresponsibility,untilthechildisdeemedsufficientlyoldenoughtogiveconsent.TheGDPRallowsmemberstatestosettheirownagelimitstandardbetween13and16yearsofage.
DataProtectionDirectiveTheDataProtectionDirectiveappliestothepoliceandcriminaljusticesectors.Thedirectivewasadoptedtoprotectthepersonaldataofvictims,witnessesandsuspectsinacriminalinvestigationorlawenforcementaction.
Thedirectivealsofacilitatesthesharingofinformationandcross-bordercooperationtocombatcrimeandterrorism.
ImpactonBusinessesThereformscreateamoreefficientbusinessenvironmentbycuttingredtapeandreducingthecostsmanybusinessesmustendureiftheyprocesspersonaldataacrossborders.Businessesmaybeabletocapitaliseonsimpler,clearerandmoreunifiedstandardsastheyrestoreormaintainconsumertrust.
ThereformsalsomakenewdataprotectionstandardsextraterritorialbyrequiringallbusinessestocomplywhiletheydobusinessinanEUmemberstate.ThisensuresthatallplayerswithintheEUareboundbythesamerules,regardlessofwheretheyareestablished.
Inaddition,therulesstreamlinedatasafetybycreatingonecentral,singlesupervisoryauthorityineachmemberstate.Italsopromotesarisk-basedapproachtocompliancerequirements,recognisingthatbusinessesshouldhavedifferentobligationsandoperateunderstandardsthatmoreaccuratelyrepresenttheparticularriskassociatedwiththeirdataprocessing.
Finally,thenewrulescallfordataprocessorstoimplementdataprotectionsafeguardsfromtheearlystagesofproductandservicedevelopmenttoensurethatdataprotectionbecomesthenorm—bydesignandbydefault.Thisincludesappointingadataprotectionofficer(DPO)responsiblefordataprotectioncompliance.OrganisationsmustappointaDPOiftheyareapublicauthority,theycarryoutlarge-scalesystematicmonitoringofindividuals,oriftheycarryoutlarge-scaleprocessingofspecialcategoriesofdataordatarelatingtocriminalconvictionsandoffences.
ImpactonSmallandMediumEnterprisesThenewrulesalsoleveltheplayingfieldforSMEsbyrequiringthemto:
• AppointDPOsonlywhentheSMEs’coreactivitiesrequireregularandsystematicmonitoring,oriftheyprocessspecialcategoriesofpersonaldata(forexample,datathatrevealsracialoriginorreligiousbelief);
TheGDPRwilldoawaywiththeobligationforbusinessestonotifyothernationaldataprotectionauthoritiesaboutthedatatheyareprocessing,whichcostsbusinessesabout€130millionperyear,accordingtotheEuropeanCommission.
• Keepprocessingrecordsonlyifprocessingisnotoccasionalorislikelytoputrightsandfreedomsatrisk;and
• Reportdatabreachestoindividualsonlyifthebreachesplacetheirrightsandfreedomsathighrisk.
InsituationswhereSMEsmustappointDPOs,thenewrulesdonotrequirethatofficersbefull-timeemployees.Theuseofadhocandconsultantsissufficienttosatisfythisrequirement.
ImpactonEmployersEmployersprocessalargeamountofpersonaldatafromtheiremployees.Often,processingemployeeinformationisnecessarytocomplywithemploymentlawandtoprovideadequatebenefits.
Forthisreason,employersshouldevaluatehowtheGDPRaffectstheirpersonaldataprocessingpractices,policiesandprocedures.Inparticular,employersshouldconsiderwhethertheyhaveobtainedconsentforaspecificpurposeanddelineatewhenandhowthisconsentmaylapse.
PreparingfortheGDPRAlthoughtheGDPRdoesnotcomeintoeffectuntil2018,theInformationCommissioner’sOffice(ICO)hascreatedachecklistofthingsbusinessescandorightnowtoprepareandensurecompliance:
1. Awareness:EnsurethatalldecisionmakersandkeypeopleinyourorganisationareawareoftheGDPR—theyneedtoappreciateitsimpact.
2. InformationYouHold:Documentwhatpersonaldatayouhold,whereitcamefromandwhomyoushareitwith.Also,organiseaninformationaudit.
3. CommunicationofPrivacyInformation:ReviewyourcurrentprivacynoticesandputaplaninplaceformakinganynecessaryGDPRchanges.
4. Individuals’Rights:Checkyourprocedurestoensuretheycoveralltherightsindividualshave,includinghowyouwoulddeletepersonaldataor
providedataelectronicallyandinacommonlyusedformat.
5. SubjectAccessRequests:Updateyourproceduresandplanhowyouwillhandlerequestswithinthenewtimescalesandprovideanyextrainformation.
6. LegalBasisforProcessingPersonalData:Lookatthevarioustypesofdataprocessingyoucarryout,identifyyourlegalbasisfordoingsoanddocumentit.
7. Consent:Reviewhowyouareseeking,obtainingandrecordingconsentandwhetheryouneedtomakeanychanges.
8. Children:Thinkaboutputtingsystemsinplacetoverifyindividuals’agesandtogatherparentalorguardianconsentforthedataprocessingactivity.
9. DataBreaches:Ensureyouhavetherightproceduresinplacetodetect,reportandinvestigatedatabreaches.
10. DataProtectionbyDesignandDataProtectionImpactAssessments:FamiliariseyourselfwiththeguidancetheICOhasproducedonPrivacyImpactAssessments,andworkouthowandwhentoimplementthem.
11. DataProtectionOfficers:DesignateaDPO,ifrequired,orsomeonetoberesponsiblefordataprotectioncompliance,andassesswherethisrolewillsitwithinyourorganisation’sstructureandgovernancearrangements.
12. International:Ifyourorganisationoperatesinternationally,youshoulddeterminewhichdataprotectionsupervisoryauthorityyoufallunder.
ForamoredetailedoverviewofyourresponsibilitiesundertheGDPR,consulttheICO’sguidefororganisationslocatedhere:https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr.Andformoreinformationonprotectingyourbusinessandensuringcompliance,contacttheinsuranceprofessionalsatPeterLoleInsuranceBrokerstoday.
TheGDPRwillestablishasingle,pan-Europeanlawfordataprotection,meaningthatcompanieswillonlyhavetodealwithonelaw,not28.Thenewruleswillbringbenefitsofanestimated€2.3billionperyear,accordingtotheEuropeanCommission.