Data protection in the 21st century
At the 25th of May the General Data Protection Regulation (GDPR) will come into effect. Applicable to the entire EU, its aim is to protect the individual rights of citizens while guaranteeing free and secure movement of personal data within the EU. Cosimo Monda, head of the European Centre on Privacy and Cybersecurity at the UM Faculty of Law, explains the consequences. “Companies and public bodies alike can benefit – if they come prepared.”
The new regulation is a timely and positive development, Monda says. The current privacy legislation of the EU member states is based on the Data Protection Directive, a now outdated European guideline from 1995. Back then there were no social networking sites, cloud computing, big data analytics or smart devices.
“Today interconnected devices share personal information without people being actively involved at all. The regulation aims to protect citizens’ privacy by increasing their control over their own data. At the same time it ensures the free flow of data and should cut costs for organisations, helping to unleash the potential of the EU’s digital single market.”
The GDPR will also put an end to legal fragmentation at the national level. Because governments were able to implement the privacy guidelines of the 1995 directive in different ways, there are at present 28 different systems of privacy rules.
“The regulation aims to harmonise these systems and minimise national manoeuvres. There will be a single data protection law for the citizens of all member states.”
The GDPR, which in the Netherlands will replace the Personal Data Protection Act (WBP), will necessitate a number of reforms. For organisations, there is greater emphasis on accountability: they will need to implement measures that allow them to demonstrate compliance with the regulation upon request. This means, among other things, performing periodical privacy-risk assessments and making transparent data-protection policies; for instance, clearly stating how long they retain personal data.
Certain organisations will also be required to appoint a data protection officer. Privacy by design (building data protection into the development of products and services) and privacy by default (making default settings as privacy-friendly as possible) will become mandatory. And data breaches will need to be reported within 72 hours.
The rules surrounding consent are changing too. Implicit consent will no longer be sufficient: data subjects will need to give explicit prior consent for the processing of their data, and the consent requirements will be more stringent.
Furthermore, the new ‘right to be forgotten’ will allow people to request that organisations delete their personal data if there are no legitimate grounds for retaining it. For example you can ask Google to remove links with personal information about you.
New, too, is the right to restrict or prevent data-processing operations and the right to portability, allowing individuals to move their personal data from one service provider to another.
Will all these obligations impede the use and transfer of data for research purposes? Not if you ask Monda. He points out that the free exchange of data for scientific purposes remains an exception in the GDPR. In general, Monda has few bones to pick with the new law.
“See it as a harmonisation of the national regulations. There are changes and additions, but the general privacy principles are the same as under the previous directive. Not much will change.”
Organisations and companies may have concerns about living up to the new law, but data protection is part of good governance, he says. The implementation of the GDPR will give companies the opportunity to better themselves by making fairer and more efficient use of personal data.
Monda: “You can even gain a competitive advantage by promoting yourself as a transparent company in full compliance with the GDPR. The same goes for organisations in the public sector. By showing that you collect data honestly and fairly, you inspire more trust among consumers and citizens.”
A major advantage of the GDPR is that it is based on the principle of a one-stop shop. There will be a single set of rules of the entire EU, and in cross-border contexts, organisations and companies will only have to deal with one national Data Protection Authority (DPA).
“Big companies previously had to satisfy multiple national DPAs; now it’s only the DPA where the business is established. Gone are the days when companies could head for a country with a small and relaxed DPA. Nor can they dodge the rules by being outside of Europe, because the law applies to all organisations that offer goods or services to EU residents or monitor their behaviour, even if the data processing takes place offshore.”
An overarching committee, the European Data Protection Board, has been installed to ensure the GDPR is implemented uniformly across member states. “This board will provide guidelines to make sure the law is interpreted the same everywhere.”
On balance, Monda is positive about the new regulation. “It’s a good starting point, one single law for the whole of Europe. The message from my side? Organisations need not worry; if they already have good policies in place under the current law, they could even benefit. I’d advise them not to hold off, but to start implementing the regulation as soon as possible. Otherwise they risk potential fines up to 4% of their global annual turnover for non-compliance.”
By: Hans van Vinkeveen (text), Ted Struwer (illustrations)
Cosimo Monda (1964) is director of the Maastricht European Centre on Privacy and Cybersecurity. He previously worked at the European Institute of Public Administration and is involved in research, training and education in the fields of privacy, cybersecurity, data protection, e-learning and consultancy. He holds a law degree from the University of Bologna.