The GDPR came into being on the 27th April 2016 and incorporates principles already found in Directive 95/46/EC whilst also repealing the latter. It is an EU Regulation and therefore does not require domestic legislation to be in place in order to apply. The aim of the GDPR is to try and fill the various blind-spots in Directive 95/46/EC to make the law more relevant to the modern day. There are a few changes to existing data protection laws which are of note.
First is the right to restrict processing. This allows an individual to restrict the controller from processing some or all of their personal data for reasons like inaccuracy in the data processed or unlawful processing operations the subject has caught wind of. Secondly the GDPR incorporates the obligation that data protection needs to be a guiding principle for controllers throughout their activity (Privacy by Design and Default). This means that when a new business venture or process is being considered data protection has to be figured-in from beginning to end.
Furthermore, one major development in the GDPR is the acknowledgement of Binding Corporate Rules as a viable regulatory solution where an undertaking needs to process data with or through other bodies established outside the EU. This allows greater opportunities in compliance for organisations which may have branches outside of Europe.
Finally, regarding penalties, it is worth noting that depending on the nature of the breach of law, the maximum administrative penalty can be up to the higher of €20,000,000 or 4% of the controller’s worldwide annual turnover. Suffice it to say that data controllers would best take heed.
Article published by: Dr. Gege Gatt, Malta IT Law Association
