The current buzzword for anyone working in or with clients in the European Union is the GDPR (General Data Protection Regulation) which became enforceable on 25 May 2018.
It replaces the 1995 Data Protection Directive and was adopted by the European Parliament and Council on 14 April 2016.
This regulation will provide control to users over their data and how it is used. It applies to personal data processed by some level of automated means. The GDPR sets out various requirements for data controllers (anyone who controls personal data) to lawfully process and protect personal data.
The main reason it was implemented was because of the evolution of technology and specifically online platforms and the use of personal information on these mediums.
The lawyer/client and doctor/patient privilege have been used for many years and is a measure to prevent the spread of personal/private data beyond those who need to know.
During the 1950’s efforts were made through the EU convention on human rights to put more formalized systems in place. Various conventions and acts followed. However, there was not one centralised law and the data protection laws of most nations varied and, in some instances, even were incompatible.
Furthermore, social media and cloud storage was not even invented when the 1995 Data Protection Directive was established.
The GDPR takes into account the advances in modern technology but is focused on protecting the rights of individuals. As it is not just a directive, it will be enforceable by law in all member states.
The law entails that controllers must process personal data lawfully, transparently, for a specified legitimate purpose and only for the specified purpose.
For companies it means that:
- There is a lawful purpose for processing data;
- Technical and organisational data protection measures are implemented;
- Data protection impact assessments on the company’s high-risk data processing activities are conducted;
- An audit trail of the company’s processing of personal data or decisions related to it is kept;
- It will be determined if a company needs to appoint a data protection officer to oversee the data protection process; and
- Unauthorised disclosure of personal data will be documented and the company’s supervisory authority in the EU and affected individuals will be notified.
The purpose of the controller is to ensure the individual understands:
- Why they process personal data;
- How long they will store it;
- How to request the rectification or erasure o personal data;
- The right to lodge a complaint and how to do it; and
- If the collection of personal data is obligatory or voluntary and the consequences if the data is not provided.
The only lawful reasons for controllers to process the personal data of an individual is:
- If the individual has given their consent;
- To perform in terms of a contract;
- To comply with a legal obligation;
- To protect an individual’s vital interests;
- If it is in the public interest; or
- If it is in the controller’s legitimate interests.
Only one of these justifications are necessary.
The GDPR applies to any data processed by a controller in any of the 28 EU member states. It also applies to any entity residing outside the EU, but processing data of individuals in the EU. In short, any entity offering services or products to EU citizens or monitoring their behavior must comply with the GDPR.
Any company in breach of the protection rules could be fined up to 2% of their annual worldwide turnover or €1 million, whichever is higher.
For South Africans, the GDPR is closely related to the POPI Act (Protection of Personal Information) which was enacted in 2013.
With thanks to the following sources: