Challenges of General Data Protection Regulation G
Challenges of General Data Protection Regulation G
net/publication/325173474
CITATIONS READS
7 6,949
2 authors:
All content following this page was uploaded by Mladen Đuro Veinović on 02 July 2018.
Abstract:
Dragan Savić*,
The aim of this paper is The General Data Protection Regulation (GDPR),
Mladen Veinović an overview of current achievements in this domain within the framework
of existing knowledge in literature, international standards and the best prac-
Singidunum University, tice as far as the GDPR is concerned. This paper is particularly dedicated to
Belgrade, Serbia GDPR who harmonizes data protection requirements across all 28 Member
States, introduces new rights for data subjects, and applies extra-territorially
to any organization controlling or processing data on natural persons in the
European Union.
Keywords:
privacy, computer security, controller, personal data, WP29.
1. INTRODUCTION
23
Sinteza 2018
DOI: 10.15308/Sinteza-2018-23-30
submit your manuscript | sinteza.singidunum.ac.rs
SINTEZA 2018
INTERNATIONAL SCIENTIFIC CONFERENCE ON INFORMATION TECHNOLOGY AND DATA RELATED RESEARCH
Aim of the GDPR is coordination of different rules allow greater harmonization. However, with large num-
existing in individual Member States, so the legal frag- ber of national derogations, different Member States
mentation, complexities and uncertainties shaped with will very likely interpret and enforce this Regulation
the Data Protection Directive are reduced. The Regula- differently. Jurisdiction over businesses working across
tion also allows the reinforcement of the data subjects’ borders should primarily have supervisory authorities
5 rights, so it is easier for them to regain control over from countries in which said businesses have their main
their personal data. Several updates and introductions establishments. [7] Yet, there are exceptions to this rule.
of new individual rights and procedures of importance The magnitude of anticipated change is fairly large
are executed, even so, the GDPR still applies roughly to and requires immediate action in order to get ready for
the data controllers and processors acting in the pub- compliance. Affected organizations will need to follow
lic and private sectors for profitable and not-profitable consistent and interconnected approach in order to
purposes. comply with EU operations. GDPR will allow individu-
als to have considerably strengthened rights to privacy
2. GENERAL DATA PROTECTION that they can enforce directly against organizations. [7]
REGULATION The supervisory authority is appointed for a mini-
mum period of four years and by all means must be in-
The General Data Protection Regulation (2016/679) dependent of the Member State. [8] However, Member
announced the largest reorganization of European pri- State may establish more than one supervisory authority
vacy laws in the last 20 years. This Regulation was pub- (as is the case today in Germany). Also, European Data
lished in the Official Journal on 4 May 2016 and became Protection Board (the Board), made up of one repre-
active on 25 May 2016, but the most essential provisions sentative from the supervisory authorities from each
will become applicable in all Member States from 25 Member State should be formed. [8] This Board will be
May 2018. [1] Regulation is readily effective in every successor of the current representative body, the Article
Member State without the need for further national leg- 29 Working Party, but will in the same time have much
islation. Nevertheless, it is necessary that Member States stronger role in providing guidance and coordinating
enclose at least some executive legislation by creating enforcement of the GDPR through a consistency mech-
national regulator, in order to make excessive use of any anism than mentioned Article 29 Working party. [9]
of the derogations available under it. [2] The Regula- The most essential trait of the supervisory authorities
tion itself is followed by the Criminal Law Enforcement on the Board is clear guidance. The Article 29 Working
Data Protection Directive (2016/680), which refers to Party has issued a work plan setting out four priority
the processing of personal data by law enforcement au- areas for guidance [3]:
thorities and must be implemented in all Member States ◆◆ the new right to “data portability”;
by 6 May 2018. This Directive, however, will not be con-
◆◆ the notion of “high risk” and privacy impact as-
sidered further in this note. [3] [4] [5]
sessments;
The General Data Protection Regulation (GDPR)
◆◆ certification; and
is recently harmonized regulation applicable across
◆◆ the role of the data protection officer. [3]
Europe and it mandates the protection of data about
people living in the European Union. Every organiza- The most important role within the framework for
tion collecting, processing and using such data must protecting our fundamental human right- right to pri-
adhere to this regulation, regardless of where it origi- vacy are data protection laws through which it is regu-
nates from. [6] Correct name of the GDPR is Regulation lated how organizations collect and process personal
(EU) 2016/689, and it updates, replaces, and extends data. The European data protection law is considered
the protections previously given in the directive on data to be one of the most comprehensive and restrictive
privacy (Directive 95/46/EC) from 1995. Excluded from in the world. [10] The GDPR includes controllers and
the GDPR is protection of personal data of individuals processors founded in countries outside EU but which
involved in criminal affairs and the protection regime are collecting and processing personal data relating to
for such circumstances is outlined in a complementary individuals within EU, and thus significantly raises the
directive -Directive (EU) 2016/680). [5] [6] bar for similar organizations all over the World. [10]
Every Member State must appoint a regulator as a For controllers, accomplishing conformity with
form of supervisory authority, which in return should the GDPR should help build and secure trust of the c
24
Sinteza 2018
Information Security and Data Science
submit your manuscript | sinteza.singidunum.ac.rs
SINTEZA 2018
INTERNATIONAL SCIENTIFIC CONFERENCE ON INFORMATION TECHNOLOGY AND DATA RELATED RESEARCH
ustomers/users, as well as reputation and finally and and France have already done it) so some organizations
most importantly- value. For processors, accomplishing use ‘deceased suppression records’ to ensure that their
conformity with the GDPR should help with assuring marketing databases are up-to-date. [14]
controllers that they are the right partner and are able The GDPR will apply where data are entirely pro-
to maintain competitive edge. [10] For other organiza- cessed by automated means or in cases of partially man-
tions that provide services to both controllers and pro- ual processing of personal data so the filing system could
cessors - from marketing agencies to payroll providers be formed, either partial or complete. The Regulation
- there is an opportunity to add considerable value to identifies what personal data consists of: identification
their customers through providing compliance-enabling numbers, on-line identifiers (whether this should in-
solutions. [11] clude IP addresses or not is debatable), location data and
other factors relating to one individual’s behavior. [15]
3. HOW THE DGPR WORKS This is why organizations that provide on-line services
or are relying on the use of tracking technologies will
The GDPR consists of 173 recitals and 99 operative need to review their data processing practice to ensure
provisions. Only the operative provisions have legal they follow the GDPR requirements. Also, new defini-
effects while the recitals do not (or at least should not tions of ‘genetic data’ and ‘biometric data’ are included
have). [11] Even though the GDPR has direct effects within the definition of special category data in The
and does not require any Member State to pass laws in Regulation. [15]
order to implement this regulation, it allows Member As mentioned, the GDPR will apply where personal
States to implement certain aspects of the GDPR in data are processed entirely or partly by automated means
their own way under what are known as ‘derogations’. or the manual processing of personal data, which forms
These derogations help introduce exemptions from the part of a filing system or is intended to form part of a
GDPR’s transparency obligations and individual rights filing system. If that is not the case, if processing does
and permit transfers of personal data in limited circum- not, or is not intended to form part of a filing system
stances. Most derogations are linked to matters such as then it will not be in the GDPR’s reach. [15] In practice
national security and defense, protection of judicial in- though, this exception isn’t applicable to most organiza-
dependence and proceedings, prevention and detection tions since most records are formed in certain way based
of crime, budgetary and taxation matters, public health on certain criteria so the data are easily accessible.
and security and other important public interests. [11] The territorial application of the GDPR covers much
Each Member State must appoint a supervisory au- wider range than the Directive, used not only to regulate
thority as an independent body responsible for moni- organizations established in the EU, but as well:
toring and enforcing conformity with the GDPR. The ◆◆ EU-based entities, in relation to their activities,
GDPR, also, creates a new body called the European regardless whether the data is processed within
Data Protection Board (EDPB). This new body will con- the EU or outside of it;
sist of members from each of the EU’s supervisory au- ◆◆ organizations from outside the EU, in relation to
thorities (though the ICO’s position after the UK leaves the offering of goods (and services) to data sub-
the EU is unclear) with the addition of the European jects in the EU or the monitoring of their behav-
Data Protection Supervisor. [12] As an independent ior as far as their behavior takes place within the
EU body EDPB will have legal status and responsibility EU. [16]
for overseeing the consistent application of the GDPR,
amongst other tasks. It will also be responsible for re-
solving any occurring disputes between supervisory au-
4. KEY CHANGES IN GDPR
thorities. [13]
Key changes in GDPR include:
The Regulation does not apply to personal data relat-
ing to deceased individuals, except in cases when such ◆◆ a requirement to apply principles of ‘privacy by
personal data is crucial to identify living individual (for design’ and ‘privacy by default’ into the process
example, medical records which identify a relative or of developing and launching new technologies,
joint bank account records). Even so, Member States products, services, etc.;
may establish their own rules when it comes to this type ◆◆ a new obligation to carry out privacy impact as-
of processing (and countries such as Bulgaria, Estonia sessments;
25
Sinteza 2018
Information Security and Data Science
submit your manuscript | sinteza.singidunum.ac.rs
SINTEZA 2018
INTERNATIONAL SCIENTIFIC CONFERENCE ON INFORMATION TECHNOLOGY AND DATA RELATED RESEARCH
◆◆ new rights to data portability and a right to be The GDPR considerably increases the range of regu-
forgotten; latory compliance for organizations which process data
◆◆ a new requirement to notify data protection su- on behalf of data controllers – so-called ‘data processors.
pervisory authorities if a data breach takes place; [22] Data processors are required to implement any ap-
propriate security measure, report data breaches to the
◆◆ fines for non-compliance of up to EUR
controller, keep a register of data processing activities
20,000,000 or (if higher) 4% of the global annual
and seek controller’s authorization before allowing third
turnover of the organization; and
parties to sub-process personal data. Processors are also
◆◆ special rules around profiling and use of chil-
directly liable to implement sanctions for failure to com-
dren’s data. [16]
ply with the GDPR. [23]
The GDPR applies to ‘controllers’ and ‘processors’. A
Complying with GDPR is mandatory. The GDPR ap-
controller regulates all the purposes and means of pro-
plies every organization that controls or processes per-
cessing personal data while processor is responsible for
sonal data on private persons in the European Union.
processing this data on behalf of a controller. The Regu-
[8] There is wide array of requirements and mandates
lation places very specific legal obligations on processor.
that need to be in place when GDPR actually comes into
For example, processor is required to keep records of
force, of which is not the least that when a data breach
collected personal data and processing activities; pro-
occurs, the local data protection authority and all affect-
cessor also has legal liability if it is found that they are
ed data subjects must be notified within 72 hours. [23]
responsible for a breach. [17] In addition to this, con-
In order to ensure that rights and freedoms of data
troller continues to be liable for their obligations even
subjects are not compromised the GDPR demands that
if processor is involved – the GDPR places further ob-
data controllers and processors follow through both or-
ligations on to ensure that controller’s contracts with
ganizational and technical safeguards. Organizational
processors comply with the Regulation. [18]
safeguards include data protection impact assessments,
The GDPR applies to processing carried out by or-
data protection by design for both structured and un-
ganizations operating within the EU as well as to foreign
structured data, and the appointment of a data protec-
organizations that offer goods or services to individuals
tion officer who reports to the highest level of the or-
in the EU. Even so, the GDPR does not apply to cer-
ganization. [23]
tain activities including processing covered by the Law
Technical safeguards include pseudonymization,
Enforcement Directive, processing for national secu-
encryption, and various capabilities for identifying
rity purposes and processing carried out by individuals
and blocking data breaches, ensuring data security,
purely for personal/household activities. [19]
and automatically identifying and classifying personal
data, among others. [11] According to the GDPR “data
5. BASIC CONCEPTS AND DEFINITION breach” also includes “accidental or unlawful destruc-
tion, loss, alteration, unauthorized disclosure of, or ac-
The basic definitions of “processing”, “filing system”, cess to, personal data transmitted, stored or otherwise
“controller”, and “processor” are largely as in the Di- processed”, making thus prevention of unauthorized
rective. The definition of “personal data” is also as in use or access to personal data a crucial element of the
the Directive, but is supplemented to clarify that loca- Regulation compliance. [9]
tion data and on-line identifiers (e.g. IP addresses) also Non-compliance to the GDPR will be quite expen-
constitute personal data. [19] Withal, new definitions sive. In addition to other financial consequences, there
have been introduced, such as “profiling”, “personal are two tiers of regulatory fines, a fine of up to €20 mil-
data breach”, “pseudonymization”, “biometric data”, lion or four percent of the annual worldwide turnover
“data concerning health”, “group of undertakings”, and for the organization, whichever is higher. [14]
“cross-border processing”. [20]
Consent is defined to mean any freely given, specific, 6. PRINCIPLES
informed and unambiguous indication of the data sub-
ject’s will by which he or she, by a statement or clear af-
The principles for protection of data under the Data
firmative action, confirms an agreement to the process-
Protection Act do not differ much from the principles
ing of personal data relating to him or her. [21]
stated within the GDPR. [24] The key addition is the
26
Sinteza 2018
Information Security and Data Science
submit your manuscript | sinteza.singidunum.ac.rs
SINTEZA 2018
INTERNATIONAL SCIENTIFIC CONFERENCE ON INFORMATION TECHNOLOGY AND DATA RELATED RESEARCH
new accountability requirement: compliance with the The principle of transparency requires that any in-
principles needs to be demonstrated. Personal data shall formation and communication relating to the process-
be: [24] ing of personal data is easily accessible and easy to un-
◆◆ processed lawfully, fairly and in a transparent derstand, and that clear and plain language is used. [3]
manner in relation to individuals (lawfulness, [10] This principle concerns, in particular, information
fairness and transparency); to the data subjects on the identity of the controller and
◆◆ collected for specified, explicit and legitimate the purposes of the processing and further information
purposes and not further processed in a manner to ensure fair and transparent processing in respect of
that is incompatible with those purposes (pur- the natural persons concerned and their right to obtain
pose limitation); confirmation and communication of personal data con-
◆◆ adequate, relevant and limited to what is neces- cerning them which are being processed. [3] [10]
sary in relation to the purposes for which they are Significant effect of this requirement will be on the
processed (data minimization); way organizations inform individuals of how their data
◆◆ accurate and, where necessary, kept up to date will be processed. It will not, in any way, be acceptable
(data accuracy); to conceal information in thickly written privacy poli-
cies or terms and conditions. If consent is given without
◆◆ kept in a form which permits identification of
full transparency about the impacts of processing, it is
data subjects for no longer than is necessary for
stated in the GDPR that it will not be valid. The control-
the purposes for which the personal data are pro-
ler should be able to demonstrate compliance with the
cessed (storage limitation);
principles (“accountability”). [8] To demonstrate this
◆◆ processed in a manner that ensures appropriate
conformation, 39 of the 99 articles require evidence. It
security of the personal data, including protec-
is not necessary to register processing with the Supervi-
tion against unauthorized or unlawful processing
sory Authorities under the Regulation but organizations
and against accidental loss, destruction or dam-
(especially larger businesses) will need to keep detailed
age, using appropriate technical or organizational
records of their processing.
measures. [25]
The principles of accountability [3] and more explic-
itly underline in the GDPR than the DPA. The Regula-
7. PERSONAL DATA AND SENSITIVE
PERSONAL DATA
tion offers a new principle of accountability – requiring
the controller to demonstrate active compliance with its
legal responsibilities. This is achieved by integrating data Any information relating to an identifiable person
protection throughout the organization’s processes and who can be directly or indirectly identified, in particular
culture, including by: by reference to an identifier, is considered to be ‘per-
◆◆ maintaining a clear written record of all data op- sonal data’. This definition allows that personal data,
erations which can be inspected by a regulator including name, identification number, location data
on demand; or on-line identifier can be composed out of wide range
of personal identifiers, and thus taking into account all
◆◆ mechanisms and procedures for monitoring and
the constant changes in technology and the way organi-
verifying compliance (e.g. regular audit);
zations collect information about people. Both auto-
◆◆ measures to enhance awareness of data protec- mated personal data and manual filing systems where
tion issues in the organization (e.g. training) up personal data are accessible according to specific criteria
to senior managerial level; are covered with The GDPR. It is possible to include
◆◆ adoption of the principle of privacy by design – chronologically ordered sets of manual records contain-
ensuring data protection principles are taken in ing personal data, as well. [25] Personal data that has
to account at the early stages of designing new been pseudonymized – e.g. key-coded – can fall within
technologies, products and systems; the reach of the GDPR depending on how difficult it is
◆◆ adoption of the principle of privacy by default – to attribute the pseudonym to a particular individual.
ensuring that privacy protection is adopted as a Sensitive personal data as “special categories of per-
default option; sonal data” are brought up in the GDPR, and the defini-
◆◆ appointment of a Data Protection Officer (DPO) tion of this kind of data now includes new fields such as
if required. [8] biometric data. Genetic data, and biometric data which
27
Sinteza 2018
Information Security and Data Science
submit your manuscript | sinteza.singidunum.ac.rs
SINTEZA 2018
INTERNATIONAL SCIENTIFIC CONFERENCE ON INFORMATION TECHNOLOGY AND DATA RELATED RESEARCH
are processed to uniquely identify an individual are continue with the processing which overrides the
specifically included in this special categories. Personal individual’s rights, or if the processing is required
data relating to criminal convictions and offenses are to establish, exercise or defend legal claims).
not included, but similar extra safeguards apply to its ◆◆ The right to data portability (This right allows a
processing. [25] This Regulation sets out new and elabo- data subject to receive their personal data “in a
rated rules regarding situations where data are used to structured, commonly used and machine-read-
undertake automated decisions impacting individuals able format” and to transmit data in that format
(profiling). [25] to another controller).
Biometric data are defined as personal data gath-
ered using specific technical processing relating to the 9. NOTIFICATION OF DATA BREACHES
physical, physiological or behavioral characteristics of a
natural person, which allows or affirms the unique iden-
The GDPR requires the data controller to provide
tification of that natural person, such as facial images or
notification to the relevant supervisory authority of any
fingerprint data. [11]
personal data breaches. The notification must [8]:
Profiling, on the other hand, is any form of auto-
◆◆ describe the nature of the breach;
mated processing of personal data consisting of the use
of personal data to evaluate certain personal aspects ◆◆ state the number of the data subjects affected by
relating to a natural person, in particular to analyze or the breach;
predict aspects concerning that natural person’s per- ◆◆ describe the likely consequences of the breach;
formance at work, economic situation, health, personal ◆◆ describe the measures taken or proposed to be
preferences, interests, reliability, behavior, location or taken by the controller to remedy the breach. [10]
movements. [11] Every breach of security leading to the destruction,
loss, alteration, unauthorized disclosure of, or access to,
8. DATA SUBJECTS RIGHTS personal data is considered to be personal data breach.
When there is a risk to the rights and freedoms of
The GDPR amplify the existing statutory rights data individuals (e.g. damage to reputation, financial loss,
subjects have (e.g. to access their data files), through a loss of confidentiality with significant detrimental ef-
wide range of entirely new or “refreshed” rights. These fect, discrimination) ICO/DPC has to be notified. Af-
rights may be exercised freely (i.e. without charge to the fected individuals, on the other hand, are to be notified
data subject) and must generally be met within 30 days. when there is particularly high risk to their rights and
The limited time allowed for responding to requests, as freedoms. Relevant breaches must be reported to the
well as a removal of right to charge any kind of fee, will Data Protection Commissioner within 72 hours of you
very likely inflict a significant burden on controllers becoming aware of the breach. [8]
forcing them to take steps to make data in their systems In specific situations, the controller should also no-
more easily accessible to data subjects. tify the data subjects affected by the breach which is why
We recognize 4 rights: [10] [16] [19] it is important that mentioned controllers have an inter-
nal breach reporting procedure in place and train their
◆◆ The right to receive a copy of the data;
staff to understand what constitutes a data breach. [8]
◆◆ The right to data erasure (The data may require
the controller to erase personal data on request
in a range of scenarios – e.g. where the data are
10. TWELVE STEPS TO TAKE NOW GDPR
no longer required for their original purpose,
or where consent to processing has been with- 1. Make all key people in your business aware of the
drawn). impact the GDPR will have on your business.
◆◆ The right to object to processing (Individuals 2. Document what personal data you hold, where it
have the right to object to processing based on came from and who you share it with.
legitimate interests (including profiling), direct 3. Review your current privacy notice and make the
marketing, research and statistics. If exercised, necessary changes.
this request must be respected unless the organi- 4. Check that your procedures cover all the above
zation can show there are compelling grounds to rights that individuals have.
28
Sinteza 2018
Information Security and Data Science
submit your manuscript | sinteza.singidunum.ac.rs
SINTEZA 2018
INTERNATIONAL SCIENTIFIC CONFERENCE ON INFORMATION TECHNOLOGY AND DATA RELATED RESEARCH
5. Update your subject access request procedure. relating to profiling or children’s data), so it will be use-
6. Document your legal basis for processing the ful to map out which parts of the Regulation will have
various types of personal data you handle. the greatest impact on concrete business model and then
give those areas necessary importance in planning pro-
7. Review how you are seeking, obtaining and re-
cess.
cording consent and then make the necessary
changes. New antitrust-type sanction regime is in the focus of
attention of the GDPR. With the threat of fines of up to
8. Think about how to verify children’s ages and
4% of annual worldwide turnover or €20 million, data
gather parental consent for processing their per-
protection will be taken more seriously. But, there is a
sonal data.
risk of taking this too far and hold up innovation. That
9. Ensure you have the right procedures in place
is why those advising on the Regulation will be under
to detect, reports and investigate a personal data
significant pressure to both provide sensible advice and
breach.
avoid the risk of punitive sanctions. In the short term,
10. Work out how and when to implement a Protec- privacy advice is going to need a little more thought, a
tion Impact Assessments PIA. good deal of pragmatism and a pinch of courage.
11. Designate a Data Protection Officer (if required) In closing, GDPR is coming fast, it almost certainly
or someone to take responsibility for data protec- applies to your organization, and so the consequences
tion compliance. of getting it wrong are severe. However, there are also
12. If you operate internationally, you will need to positive consequences of getting it right, including a
determine which data protection supervisory au- strong foundation for working with businesses in Eu-
thority you come under. [10] rope, a clear understanding of consumer preferences,
and strong internal data protection and security con-
11. CONCLUSION trols that foster trust with customers and partners alike.
[9] Hunton & Williams, The Proposed EU General Data [17] Independent booksellers forum, Guides to practi-
Protection Regulation, A Guide for in-house lawyers, cal bookselling, General Data Protection Regulation
2015. (GDPR), 2017.
[10] Information Commissioners Office - ICO, Data [18] SAGE, General Data Protection Regulation (GDPR):
protection, Guide General Data Protection Regula- The Sage quick start guide for businesses, 2017.
tion (GDPR), 2018. [19] European Federation for Print and Digital Commu-
[11] Mason Hayers & Curran, Getting Ready for The nication, INTERGRAF, INTERGRAF Guide to the
General Data Protection Regulation, A Guide by European data protection regulation for European
Mason Hayes & Curran, Dublin, London, New printers, 2016.
York & San Francisco, 2018. [20] DLA Piper, A guide to the general data protection
[12] G. Latchams, A practical guide to the General Data regulation, 2016.
Protection Regulation, Version 1.0, 2017. [21] Tectrade, GDPR A practical guide, Varonis, 2017.
[13] Bird & Bird, Guide to the General Data Protection [22] TLT, LLP, Get ready - An essential guide to the Gen-
Regulation, 2017. eral Data Protection Regulation, 2017.
[14] Charity Finance Group (CFG), Inspiring Financial [23] Linklaters, The General Data Protection Regulation
Leadership, General data protection regulation: a A survival guide, 2016.
guide for charities, 2017.
[24] ESET, Quick guide to the EU General Data Protec-
[15] S. Blanchard, R. Smith, L. BlueVenn, The General tion Regulation, 2017.
Data Protection Regulation(GDPR) A practical guide
[25] An Comisineir Cosanta Sonrai, The GDPR and You
for businesses, 2016.
General Data Protection Regulation Preparing for
[16] IT governance, EU General Data Protection Regula- 2018, 2017.
tion, A Compliance Guide, 2016.
30
Sinteza 2018
Information Security and Data Science
submit your manuscript | sinteza.singidunum.ac.rs