The new regulation is a timely and positive development, Monda says. The current privacy legislation of the EU member states is based on the Data Protection Directive, a now outdated European guideline from 1995. Back then there were no social networking sites, cloud computing, big data analytics or smart devices.

“Today interconnected devices share personal information without people being actively involved at all. The regulation aims to protect citizens’ privacy by increasing their control over their own data. At the same time it ensures the free flow of data and should cut costs for organisations, helping to unleash the potential of the EU’s digital single market.”

The GDPR will also put an end to legal fragmentation at the national level. Because governments were able to implement the privacy guidelines of the 1995 directive in different ways, there are at present 28 different systems of privacy rules.

“The regulation aims to harmonise these systems and minimise national manoeuvres. There will be a single data protection law for the citizens of all member states.”

Reforms
 

The GDPR, which in the Netherlands will replace the Personal Data Protection Act (WBP), will necessitate a number of reforms. For organisations, there is greater emphasis on accountability: they will need to implement measures that allow them to demonstrate compliance with the regulation upon request. This means, among other things, performing periodical privacy-risk assessments and making transparent data-protection policies; for instance, clearly stating how long they retain personal data.

Certain organisations will also be required to appoint a data protection officer. Privacy by design (building data protection into the development of products and services) and privacy by default (making default settings as privacy-friendly as possible) will become mandatory. And data breaches will need to be reported within 72 hours.

Furthermore, the new ‘right to be forgotten’ will allow people to request that organisations delete their personal data if there are no legitimate grounds for retaining it. For example you can ask Google to remove links with personal information about you.

New, too, is the right to restrict or prevent data-processing operations and the right to portability, allowing individuals to move their personal data from one service provider to another.

Will all these obligations impede the use and transfer of data for research purposes? Not if you ask Monda. He points out that the free exchange of data for scientific purposes remains an exception in the GDPR. In general, Monda has few bones to pick with the new law.

“See it as a harmonisation of the national regulations. There are changes and additions, but the general privacy principles are the same as under the previous directive. Not much will change.”
 

Good governance
 

Organisations and companies may have concerns about living up to the new law, but data protection is part of good governance, he says. The implementation of the GDPR will give companies the opportunity to better themselves by making fairer and more efficient use of personal data.

Monda: “You can even gain a competitive advantage by promoting yourself as a transparent company in full compliance with the GDPR. The same goes for organisations in the public sector. By showing that you collect data honestly and fairly, you inspire more trust among consumers and citizens.”

“Big companies previously had to satisfy multiple national DPAs; now it’s only the DPA where the business is established. Gone are the days when companies could head for a country with a small and relaxed DPA. Nor can they dodge the rules by being outside of Europe, because the law applies to all organisations that offer goods or services to EU residents or monitor their behaviour, even if the data processing takes place offshore.”

An overarching committee, the European Data Protection Board, has been installed to ensure the GDPR is implemented uniformly across member states. “This board will provide guidelines to make sure the law is interpreted the same everywhere.”

On balance, Monda is positive about the new regulation. “It’s a good starting point, one single law for the whole of Europe. The message from my side? Organisations need not worry; if they already have good policies in place under the current law, they could even benefit. I’d advise them not to hold off, but to start implementing the regulation as soon as possible. Otherwise they risk potential fines up to 4% of their global annual turnover for non-compliance.”

By: Hans van Vinkeveen (text), Ted Struwer (illustrations)