What does the GDPR’s entry into force NOT require?
The EU General Data Protection Regulation (GDPR) which needs to be applied by May 2018, is a complex and much discussed regulation reform. Even data protection experts have had a lot to learn with the blowing winds of change. The majority of articles, seminars and teaching materials have focused on what the Regulation will change and what companies should consider, so that their approaches are consistent with the GDPR by 25 May 2018 when the two-year transition period ends and the Regulation must be applied.
I recently travelled to London where I attended GDPR seminar. Rather than solely discussing what the GDPR requires, things that it does NOT require arose as one of the most interesting topics of the day. The Regulation text was amended several times while drafting. Thus, many of the changes that were originally envisaged did not happen, or found their way into the final version of the GDPR in a different form than originally planned. Several already speculated changes were discarded at the end of the day.
Here are a few selected examples:
1. Individuals have an absolute right to be forgotten.
Incorrect. Although Article 17 provides “ the right to be forgotten ”, this is not an absolute right. Organisations will continue to have the right to process personal data if this is necessary for the purpose for which the data was originally given, and if the organisation has a lawful basis for processing the data (in accordance with Article 6 or 9).
2. Every company needs a Data Protection Officer.
Incorrect. An organisation needs to appoint a Data Protection Officer only if it is a public entity, participates in large-scale processing of personal data, or participates in large-scale and systematic monitoring of data subjects. If your organisation does not fall into any of the above categories, then it is not necessary to appoint a Data Protection Officer, although it is still recommended.
3. The data controller and the data processor will be accountable to only one data protection authority.
Incorrect. Although this was the original intention of the 2012 draft, the final version says something else. It is true that organisations usually have one ‘main data protection authority’ to whom they are accountable to, but the data protection authorities of other Member States also have jurisdiction to intervene if the incident is linked to premises in the Member State or has a significant impact on data subjects in the Member State.
4. Where processing of personal data is based on consent, consent must be “explicit”.
Incorrect. This was a much discussed and debated issue during the drafting of the Regulation, but “ unambiguous ” was the word selected for the final version (Article 4, paragraph 11). Explicit consent is only required when dealing with sensitive data. Sensitive personal data includes many types of information concerning a person’s race and ethnic origin, societal activities, political or religious beliefs, criminal background, health status, sexual orientation, and need for social care. If the information is not sensitive, “ unambiguous ” consent is acceptable, which contributes to so-called “ implied consent ”, where the individual’s actions are sufficient indication of consent to data processing.
5. Rules regarding the transfer of data from one system to another will change for all companies.
Incorrect. The Regulation brings with it the right to transfer data to another system, which better corresponds to the development of today’s technology and data processing services. However, this only applies to cases in which data processing is based on consent or an agreement (Article 20, para 1). Therefore, the paragraph does not apply if the processing has a lawful basis. This is an important strategic point for companies when they decide what are the legal reasons that allow them to process personal data.