The circulation and collection of personal data has greatly increased in recent years through the increased use of the Internet, the development of connected objects and big data. According to a study by Digital Universe, the global volume of information in the digital world today would fit in an iPadAir tablet stack of 253,704 kilometers, or 2/3 of the distance between the Earth and the Moon. Faced with this phenomenon, the Union wants to strengthen the protection of personal data thanks to a new European Data Protection Regulation (GDPR), which will enter into force on 25th May.
1) A European desire to guarantee a better protection of personal data
The collection of personal data endangers the protection of the privacy of individuals through the unauthorized processing of their data and sometimes the piracy of data. That is why the European Union has consolidated its legislation and published in the Official Journal on 27th April 2016 the RGPD. It lays down rules on the protection of individuals with regard to the processing of personal data and the rules on the free movement of such data (Art 1.1) and has three objectives:
– strengthen the rights of natural persons;
– empower the actors dealing with data; and
– encourage enhanced cooperation between data protection authorities.
This new regulation is intended for public and private bodies that process, handle, manage or store personal data and concerns anyone whose data is collected. As a regulation and not a directive, the same text will apply throughout the Union.
2) Significant changes foreseen by the application of the Regulation
The European Data Protection Regulation strengthens the responsibility of organisations and companies to ensure optimal data protection at all times and to be able to demonstrate this by documenting their compliance. A one-year period is given to any data management entity to evaluate its data processing systems and to make them conform to the novelties provided by the legislation. These include limiting the amount of data processed from the design of the product or service, and by default, conducting the privacy impact assessment, the right to be forgotten, the proof of consent for the collection of personal data, etc. The right to portability of data and the opposition of any marketing operation for companies whose main activity is profiling may be to restore the relationship of trust between e-merchants and Internet users.
In this context, the European Union has published a call for proposals under the Rights, Equality and Citizenship Programme, which aims to support national data protection authorities to inform and help businesses to comply but also to sensitise the general public to the protection of their data.
For the period 2014-2020, this programme finances projects worth 439 million euro that help promote the rights of European citizens. The H2020 Programme also funds research and stakeholder networking projects on data protection for connected objects / equipment (Internet of Things).
3) What is the RGPD’s efficiency?
The RGPD introduces the mandatory appointment of a data protection officer (DPO) for public sector companies, for companies whose main activity is profiling. The role of the DPO is then crucial to ensure the respect of the protection of personal data by companies. Companies may choose to appoint an employee of the company as an internal DPO or external professional advisor. The question of independence and reliability of the DPO arises then.
Failure to comply with the rules of the RGPD can be subject to significant administrative penalties as well as administrative fines that can range from 10 to 20 million euro.
In the face of current threats, can the RGPD encourage companies to acquire the appropriate means and systems to protect personal data? Will all companies be ready by 25th May 2018?
Discover the 6 steps presented by the CNIL to prepare for the European regulation.