Starting on May 25th 2018, the General Data Protection Regulation (GDPR) will be directly applicable to all entities active in the European Union. The new rules are designed to give citizens more control over their personal data, increase corporate accountability while reducing reporting burdens and strengthen the role of data protection authorities such as the CNPD. During Cybersecurity Week, the CNPD will participate in the “GDPR: Verbraucherschutz an Datenschutz ginn hand an hand” (Consumer protection and Data protection go hand in hand) conference specifically for the general public and will also organize information sessions for private companies and public bodies.
BACKGROUND: Why was it necessary to reform the legal framework?
EU legislation on data protection has been in place for more than 20 years. While the 1995 Directive guarantees effective protection, it has become necessary to modernize existing rules to take into account the effects of globalization and the emergence of new technologies.
The current rules were adopted at a time when many of today’s online services did not yet exist. With the advent of social networking sites, cloud computing, the internet of things, and services using geolocation and smart cards, the amount of personal data that is collected and processed daily has increased exponentially.
The danger of seeing data misused by those who collected it, or of it falling into the wrong hands has been amplified. As proof of this trend, the number of security breaches, data leaks, computer attacks and breaches of confidentiality reported by the national and international press have multiplied.
Disparities that arose during the implementation of the original legislation by Member States has also led to inconsistencies that create complexity, legal uncertainty and administrative costs. This situation affects the confidence of individuals and the competitiveness of the EU economy.
A robust set of rules is therefore necessary to ensure that the right of individuals to the protection of their personal data, recognized by Article 8 of the Charter of Fundamental Rights of the European Union, remains effective in the digital era. This is the aim of the new General Data Protection Regulation. Its advantages are not insignificant. It most notably offers:
- new user rights, specifically:
The right to be forgotten; The right to the limitation of certain treatments; The right to data portability; The right not to be evaluated on the basis of automated processing (profiling).
- an implementation of the “privacy by design / by default” principle: an online service or a data-collecting device must be designed to collect only the absolute minimum of data necessary for its operation;
- immediate application in all signatory states (no need for transcription into the national legislation). These new consumer / user rights create new obligations for those who collect and process personal data. Specifically:
- The consent of the person whose data is collected must be demonstrable
- Non-European companies which process data from European citizens must adhere to the regulations
- Sanctions for non-compliance can be as high as 4% of the company’s turnover or 20 million euros
- Companies employing more than 250 people must appoint a Data Protection Officer (DPO)
- Data leakage does not constitute a violation of this regulation, provided that the person responsible for managing the data is able to demonstrate that all necessary measures to protect the data had been implemented.
The countdown has begun and it is now time to think about the compliance of data processing practices. The appointment of a responsible person should also be on the agenda.
Information sessions: General Regulations on Data Protection (18 and 19 October 2017)
TOPICS TO BE DISCUSSED:
- New regulation compliance: how should you prepare?
- The role of the Data Protection Officer (DPO)
- National specificities (areas of work, health, research, etc.)
- Obligations towards concerned persons (consent, profiling, right to data portability …)
- The Data Protection Impact Assessment (DPIA)
- Compliance tools (certifications, codes of conduct, etc.)
- Compliance monitoring (investigations, penalties, etc.)
- Wednesday 18/10: French language session: 8h30-15h30
- Thursday 19/10: English language session: 8h30-15h30
Administration Building 1, avenue du Rock’n’Roll L-4361 Esch-sur-Alzette Conference Room (ground floor)