We are fast approaching the effective date of the new legislation that will change how personal data controllers operate. As you know, GDPR will apply starting May 25, 2018.

What the business environment already knows is that GDPR will bring changes, but for many of us, these are unclear. For this reason, we decided to do what we know best, namely, to research and document.

Exclusive interview

We reached out to a legal specialist to answer a series of specific questions, with the aim of finding the most effective approach to being compliant with the new laws. Cosmin Iliescu, a lawyer with experience in the field, gave us an exclusive interview in which he detailed what GDPR means, who applies it, what rights it protects, and what opportunities arise.

Cosmin Iliescu has been a member of the Bucharest Bar since 2001, having been involved in Data Protection projects for over 10 years.

He is a partner at the Law Firm Păcuraru, Iliescu, Măzăreanu & Asociații and, together with his colleagues, has accumulated vast experience in various practice areas, such as IT&C, meal voucher legislation, public procurement, commercial law, insurance, among others.

What’s New in GDPR

What does GDPR bring new compared to current legislation?

First of all, we are talking about a regulation that will replace the current directive which was transposed in the past through Law 677/2001. Since GDPR is a Regulation adopted at the EU level, it will be directly applicable in all EU member states, with no further need for a transposing law in this regard.

Certain existing elements are emphasized

There are several areas where the Regulation brings a series of new elements or emphasizes some existing ones.

I would mainly follow two levels: changes regarding the interests/rights of the data subjects, on one hand, and changes regarding the way data is organized and processed at the level of data controllers, on the other hand.

GDPR guarantees new rights

Regarding the data subjects, new rights are guaranteed, previously unforeseen in European legislation: the right to be forgotten, in the exercise of which the deletion of data can be requested if it is processed illegally, without consent, or if the data is no longer necessary for the purpose for which it was initially processed.

I would also mention the right to data portability, which establishes the freedom of the data subject to opt for the transfer of data to another controller, for the latter to continue processing it (for example, porting from one mobile operator to another).

Minors benefit from increased protection

Also, specific provisions regarding minors have appeared; in connection with the processing of their data, especially in the online environment. Here, clear and simple rules will be required for the young person / child to understand, and the consent of the parent / guardian must be obtained, as the case may be.

Complaint procedures are simplified

Another rule established by GDPR considers the proximity of the supervisory authority to the data subject.

Thus, the supervisory authority in the member state where the data subject is located acts as a contact point when the complained-against controller is established in another state, and complaints of any kind can be validly addressed to it.

data-protection

One Stop Shop for data controllers

Regarding data controllers, the Regulation also has a significant impact on their activity.

One Stop Shop is a concept of particular interest to controllers who carry out their activities in several EU member states. In their case, the competent supervisory authority is the one in the member state where the respective controller has its main establishment, thus facilitating the process of compliance with the provisions of the Regulation, especially regarding the reports or notifications that must be made.

Another concern relates to the accountability of data controllers. In this sense, the emphasis is on transparency towards the data subject and the data controller’s responsibility for the way data is processed.

In the case of data processing that involves a high risk to the privacy of individuals, the controller must carry out a privacy impact assessment. The result of such a study will allow the controller to identify specific risks and adopt measures to reduce the occurrence of such risks.

Privacy by Design & Privacy by Default

Privacy by Design & Privacy by Default are two new essential principles for data controllers. To explain the two principles, I think an example would be eloquent.

In the case of Privacy by Design, we can refer to the situation of an application developer who also processes personal data; they must ensure, from the development stage, that their application will comply with the rules and principles established by the Regulation.

Privacy by Default – within the same example, regarding the provision of an application that processes personal data, its developer must ensure that the initial settings will allow users to maintain control over how their data is processed.

The Role of the DPO

The appointment of a DPO (Data Protection Officer) at the level of the data controller is one of the measures through which accountability of data controllers is sought.

This provides the controller with the necessary advice and support necessary to comply with all its obligations and ensure the necessary transparency towards data subjects in a continuous collaborative process.

New sanctions, up to 20 million euros

Also, the amount of fines represents a novel element compared to the previous regulation. For non-compliance with the provisions of the Regulation, severe sanctions may be applied, depending on the gravity of the situation – fines of up to 10 – 20 million euros or between 2% and 4% of the international turnover.securitatea-datelor

Types of Data that will be protected by GDPR

What types of data are affected by GDPR? How should I protect them?

I think the answer can start right from the definition of “personal data”, these being any information regarding an identified or identifiable natural person (“data subject”).

An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, location data, an online identifier, or to one or more specific elements, characteristic of their physical, physiological, genetic, mental, economic, cultural, or social identity.

GDPR proposes preventive measures

GDPR proposes a series of protection measures, but at an extremely general level and primarily targets the preventive dimension. However, protection could be viewed from at least two perspectives: legal and technical.

The first concerns those legal elements that data controllers should consider in order to comply with GDPR requirements, among which I would mention:

  • the way the data subject is informed regarding the processing of their personal data, obtaining their consent, if necessary, as well as the controller’s ability to prove this fact;
  • a better contractual regulation of the relationship between data controller – processors;
  • the transposition of GDPR provisions into the documents regulating the relationship between employee and employer.

From a technical point of view, solutions in the IT&C sphere should consider ensuring a level of security appropriate to the risks that each data controller will identify, including among others the pseudonymization and encryption of personal data.

studiu-gdpr

GDPR – a challenge for businesses in Romania

What do entrepreneurs need to do to comply with GDPR?

Some of our clients initially had a reaction of denial: “the Regulation’s provisions do not apply to me.” However, over time they realized that many of their activities, sometimes the most harmless from their perspective, would fall under the umbrella of the Regulation.

For example – the geolocation activity of the company’s employees involves the processing of their personal data and, depending on how intrusive the employer is, can even lead to legal effects regarding them. In this sense, employees should at least be informed about the processing of this data, as well as the purpose of this processing.

Specialists can be a real help

What will entrepreneurs have to do to comply? I think first of all they should turn to specialists in the field. It is necessary, for example, to perform at least the following preliminary activities to determine if and what type of data controller they are:

  • to identify what personal data they process;
  • to become aware of the processing activities (their types), the legal basis for processing and the duration of this processing, the IT applications and hardware terminals used in processing (including via a smartphone or a tablet), and the IT security elements used to protect them.

Depending on the data processed and the grounds for processing, some controllers will need to either appoint a DPO (data protection officer), or conduct, together with specialists in the field, an impact assessment covering all aspects of processing, or draw up a record of processing activities, or check all these activities if the Regulation requires it in their case.

Agreed technical solutions

Who determines which technical solutions are accepted by the authority responsible for the application of GDPR (the current ANSPDCP)?

For now, the market refers to current practices known at the level of technical solutions, and on the other hand to a prudential interpretation of the GDPR. Technical solutions accepted by the authority responsible for the application of GDPR in Romania are not yet known.

However, we can estimate that those technical solutions will include, among others, the following:

  1. pseudonymization and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  3. the ability to restore the availability of personal data and access to them in a timely manner in the event of a physical or technical incident;

copii-protectia-datelor

The impact of GDPR on Marketing

How does GDPR impact marketing activity?

Minors are better protected

We can observe that the GDPR recognizes in its preamble that special attention should be given to children who may be targeted or indirectly affected by marketing activities.

They need specific protection of their personal data, as they may be less aware of the risks and consequences of processing their data.

This specific protection should apply in particular to the use of children’s personal data for marketing purposes or for creating personality or user profiles and to the collection of personal data regarding children when using services offered directly to children.

The GDPR considers that the holder of parental responsibility should control situations in which the processing of children’s data would take place.

GDPR recognizes a legitimate interest in Marketing

Moving to another register, we can note that the GDPR recognizes a legitimate interest in the processing of personal data for direct marketing purposes.

Thus, the legitimate interests of a controller, including those of a controller to whom personal data may be disclosed or of a third party, may constitute a legal basis for processing, provided that the interests or fundamental rights and freedoms of the data subject do not prevail, taking into account the reasonable expectations of data subjects based on their relationship with the controller.

This legitimate interest could exist, for example, when there is a relevant and appropriate relationship between the data subject and the controller, such as when the data subject is a client of the controller or is in their service.

Direct marketing becomes more transparent

However, we must remember that if personal data are processed for direct marketing purposes, the data subject should have the right to object to such processing, including profiling to the extent that it is related to direct marketing, at any time and free of charge.

This right should be explicitly brought to the attention of the data subject of the processing for marketing purposes and presented clearly and separately from any other information.

alinierea-gdpr

GDPR Alignment

How can a business know if it is aligned with the standards imposed by the GDPR? What are the minimum steps to be followed?

A self-assessment is difficult to perform in the absence of thorough knowledge in the field of personal data processing. However, here I would reiterate the need to determine what type of personal data each company processes.

Identification of the types of data processed

There are basically three types of data, each of which can give rise to certain levels of protection:

  • personal data, we can call them general;
  • special data (for example, racial origin, political opinions, religious beliefs, biometric or genetic data);
  • sensitive data derived from special ones but on which each member state can legislate, widening their scope, including any other type of data that is proper and specific to it, depending on the level of protection it considers appropriate. In Romania, I expect it to be, first and foremost, the CNP.

Data processing

Then, another necessary step is identifying the processing activities, which can be very diverse, from collection, recording, storage, consultation, to deletion and destruction. Yes, the activities of deletion and destruction of personal data fall within the scope of data processing regulated by the GDPR.

Determining the computer applications and hardware terminals used is also important.

Last but not least, a legal assessment of the basis for processing is necessary, which according to the GDPR can be the consent of the data subject, the execution of a contract, the fulfillment of a legal obligation, the protection of the vital interests of the data subject, the performance of a task serving a public interest, or the legitimate interest pursued by the controller.

Multidisciplinary teams can ensure compliance

To whom should entrepreneurs turn to ensure that their business does not violate GDPR provisions?

To data processing consultants, and I am not referring here only to an IT security consultant or only to a legal consultant, because neither of them, alone, without the support of the other, could provide adequate consultancy to a data controller.

When I say a data protection consultant, I do not mean just one person, but a team consisting of at least two people with distinct specializations: legal and IT with experience in similar data protection projects.

cyber-security

How GDPR affects activity for the non-EU space

Does GDPR apply exclusively to the EU space? If a business involves working with third parties from the EU and non-EU (for example, the UK), how should it proceed? Does GDPR apply differently in each European country?

Through GDPR, the rights of all persons located on EU territory are protected, regardless of the geographical positioning of the data controller.

Thus, the scope of application is extended to data controllers established outside the EU, to the extent that their goods and/or services are addressed (also) to persons located on EU territory; these data controllers will have to comply with the rules and principles established by the Regulation.

GDPR does not apply differently in each European country

In principle, GDPR does not apply differently in each European country. However, the Regulation leaves the freedom for states to legislate in certain areas of interest, thus complementing the applicable normative system.

Thus, for example, each member state can broaden the scope of sensitive data and, as the case may be, can establish special rules applicable to their processing; as an example, most likely in Romania, the CNP (Personal Identification Number) will be a sensitive data point, being a type of data not found in other states.

Also, member states can provide additional conditions, including restrictions, for the processing of special personal data. Another example regarding the margin of appreciation of member states would be their possibility to detail the list of types of activities for which an impact assessment is necessary.

The Regulation only provides some indicators of the activities for which an impact assessment must be carried out.

GDPR protects sensitive data

How do you think GDPR will be able to prevent a situation like the Cambridge Analytica case?

If we consider the Cambridge Analytica case, personal data were collected to build psychological profiles of Facebook users in order to be able to anticipate their trends and political inclinations, and if, even accidentally, the disclosed data concerned individuals who were in the EU, then I believe the answer for a similar situation in the future can only be affirmative: GDPR should prevent the occurrence of similar situations in the future.

Let’s not forget that GDPR prohibits the processing of personal data revealing the political opinions of the data subject without the express and unequivocal consent of the data subject, and the violation of such a legal provision in the future will attract downright discouraging administrative sanctions.

Opportunities brought by GDPR

So far, the feeling is that GDPR only brings responsibilities. Beyond these, are there also opportunities in this context?

To the extent that for the implementation of GDPR requirements, data controllers will turn to a multidisciplinary team, during its analysis and the implementation of the solutions they will propose, data controllers will begin to see opportunities for organizational change.

Quality data means quality marketing

Moving away from a simple compliance exercise, they will identify a series of more efficient ways to interact with customers, partners, and employees. Also, during the analysis, opportunities to reduce the complexity and costs of data processing can be identified, among which I would mention:

  • The rights of data subjects enshrined in the GDPR, once translated into various processes and control measures, can ensure an increase in the efficiency of a company’s activity regarding the personal data it processes;
  • The obligation to develop a record of processing activities, as well as the personal data processed, can lead to better visibility of the data already processed, which can translate into better data management and the emergence of new business ideas;
  • Principles such as minimization or privacy by design can lead, after implementation, to reduced storage costs, data updates, as well as simplification of operations performed with this data.

GDPR White Paper_5

Stay up to date with the evolution of GDPR

Our concern regarding the impact of GDPR began with a study that reveals how Romanian companies prepared for the implementation of the new data protection regulations. We invite you to download the study for free here.

Also, check out the other articles about GDPR:

If you found this material useful, we invite you to subscribe to the newsletter. This way, you ensure that you don’t miss any market studies, interviews with specialists, and stay up to date with the latest marketing trends.