BGMT
  • Home
  • About Us
  • Services
  • Resources
    • Taxation in Malta
    • Maltese Companies
    • Malta Residence Programme
    • VAT benefits on Yacht Registrations
    • Compliance Calendar >
      • Self-Employed
      • Companies
  • News
  • Contact Us

The General Data Protection Regulation

5/3/2018

Comments

 
With the ever increasing hype and discussion regarding the upcoming implementation of the GDPR, micro-businesses as well as affected professionals, have definitely wondered at how this regulation will in someway or another affect their business.  But what is the GDPR?
 
The General Data Protection Regulation, or as it is being called in short GDPR, is an eleven-chapter regulation coming into effect, on the 25th of May 2018. The regulation, which was approved by the EU Parliament following four years of preparation and debate, intends to replace its former predecessor, the Data Protection Directive 95/46/EC.
 
Aim of the regulation

The aim of the regulation is to protect EU-domiciled personnel from privacy and data breaches in today’s digital world. The 1995-based regulation, which has not been updated in over two decades, underwent a thorough restructuring, with new key points being added as well as having parts of the old articles revamped to accommodate and regulate the fast changing, data-driven world in which we live nowadays.
 
The new regulation has nine key points on which it is structured. These include penalties, consent, four data subject rights, privacy by design, and perhaps the two most disruptive points of all, the data protection officer appointment and territory.
 
The Regulation

The regulation was redesigned to increase the territorial coverage of Data protection making this one of the biggest changes in the regulation itself. The extra-territorial applicability affects controllers and processors that in any form or another, process private and confidential data of EU-based customers, irrelevant of their established location and whether a payment is required for the rendering of the service/good, or not. This means that if a US company is rendering a service to an EU based customer, and certain private data is required for the rendering of the product or service, the US company is deemed required to operate within the GDPR regulatory framework and therefore subject to its penalties if a clause is breached, even though the processing of the regulation did not take place in the EU. Furthermore, non-EU businesses processing the data of EU citizens, are deemed to appoint a representative in the EU. In this way, the GDPR has the applicability clauses clear and not ambiguous, as its preceding directive.
 
In addition to this, customer-consent conditions have been strengthened. With the implementation of the GDPR, companies will no longer be eligible to use long illegible terms and conditions full of legalese. Consequently, request for consent must be given in an intelligible (readable) and an easily accessible form with a clear purpose as to why consent is needed and as to why and how data will be processed, all using clear and plain language that is easily understandable by the most adverse of customers. Furthermore, the withdraw of consent by a customer is to be as easy and facilitative as to give it.
Another important aspect of the GDPR, is the handling and storage of data. Data systems owned by controllers, have to have adequate technical and organizational measure in order to satisfy the requirements of the regulation. This is referred to as the Privacy by Design concept. The design (system) has to have effective ways so as to allow the controller to implement the appropriate technical and organization measures in line with GDPR, whilst being secure and held to the latest digital security specifications. One must also note that GDPR also covers ‘Cloud’ data storages as a system of personal data storage, and therefore these will not be exempt from GDPR enforcement. Furthermore, Article 23 of the regulation, requires controllers to hold the absolutely necessary data required to complete its duties. This is called data minimization.  For example in situations were only a name and address are needed to complete the services/product, a contact number may be seen as additional information which will expose you as a processor to further unnecessary risks. Processors are also urged to limit the access to personal data to those needing to act out the processing and therefore increase data security.
 
Placing together the above, breaches of the GDPR by controllers are heavily penalized by the authorities. The serious infringements, including insufficient customer consent and violation of the core concepts of Privacy by Design, can be fined up to 4% of the total annual turnover, or else €20,000,000, whichever would be the greatest. The extent of the fines are tiered in the regulation respectively, with the penalisations being classified dependent on the level of the breach; from loss of data privacy, to not having organized records as such.
 
Apart from the various rights granted to the data subjects, such as notification of a breach from the controller, rights to access the data, data erasure (the right to have your data wiped from the controller) as well as data portability, the GDPR also gave rise to the appointment of Data Protection Officers. Under current legislation, controllers are required to notify the local authorities of their data processing activities. With the new regulations, notifications to local DPA (Data Protection Authority) and approval for transfers will no longer be required. Instead, requirements with respect to internal record keeping are present in the legislation together with the appointment of a DPO, a data protection officer. This will be mandatory for controllers whose core and principal activities consists of processing operations that require systematic monitoring of data subjects on a large scale.

 The requirements of internal controls must include the following;

  • Name & contact details of the controller and, where applicable the joint controller, the controller’s representative and data protection officer
  • The purpose of the processing
  • Description of the categories of data subjects, and the categories of personal data
  • The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
  • Where applicable, transfers or personal data to a third country or an international organization, including the identification of that third country or international organisations
  • Time limits for erasure of different categories of data
  • General description of the technical and organizational security measures.
 
On the other hand, the DPO must be appointed on the basis of professional qualities, in particular, expert knowledge on data protection law and practices, and must not carry out additional tasks that could jeopardize objectivity or result in conflict of interest. Furthermore, the controller may wish to appoint an external DPO. This is similar to accounting services, were rather than appointing an internal executive, you may wish to utilize a service organisation for the upkeep of accounting records.  The job of the DPO would be that to monitor the processing of data, report directly to the management with respect to improvements, regulatory requirements & data storage, whilst informing the authorities immediately in the case of a breach in security or loss of data.

But how would your organization know whether it should appoint a DPO or not? The below flowchart will guide you whether or not it is required to do so.
GDPR DPO Flowchart
Appointment of a Data Protection Officer
​The regulation may be looked at as a monstrous problem stampeding through businesses that will result in loss of time and also money. However, through the implementation process, if professional expertise is sought, even just for consultation, the affect of the transitional period will be very minimal. In the end, through the GDPR, both controllers as well as customers are set to benefit.
The above summary is intended for the sole purpose of understanding and reliance on such is at users discretion. Reference and reliance to the actual legislation should always be made.
Enquire Further
View my profile on LinkedIn
Comments

    Author

    BGMT is a multi-disciplinary firm offering accounting, taxation and advisory services to multi-tier business operating in various industries. 

    Archives

    October 2020
    March 2020
    August 2019
    June 2019
    January 2019
    July 2018
    March 2018
    August 2017
    July 2017
    June 2017

    Categories

    All
    Announcements
    Corporate Services
    Insights
    Marketing
    Regulations
    Search Engine Optimisation
    Social Media
    Virtual Financial Assets

    RSS Feed

    View my profile on LinkedIn
Latest News & Updates
Malta Budget 2021 - An Overview
October 20, 2020
Financial aid packages - A Recap
March 25, 2020
COVID-19 Measures
March 23, 2020
VAT on Yacht Leasing Guidelines - 2019
​
May 3, 2019
Our Services
Business Corporate Consultation
Management consultancy
Accounting Services
Tax Advisory
Aircraft Applications
Yacht Registration
More
    Stay in the loop
    Enter your email address
Sign Up

© COPYRIGHT BUSINESS GLOBAL MALTA. ALL RIGHTS RESERVED.
Terms of Use
Privacy Policy
  • Home
  • About Us
  • Services
  • Resources
    • Taxation in Malta
    • Maltese Companies
    • Malta Residence Programme
    • VAT benefits on Yacht Registrations
    • Compliance Calendar >
      • Self-Employed
      • Companies
  • News
  • Contact Us