The General Data Protection Regulation (GDPR) was published in the Official Journal of the European Union on May 4, 2016 and will be applicable in its entirety on May 25, 2018.

The regulation applies to the processing of personal data by a controller or a processor. Although the General Data Protection Regulation is the biggest shake up in data protection, those familiar with data protection practices may find quite a few similarities to those under the Data Protection Directive.

The regulation will replace national data protection laws across European Member States and any organisation established within the EU that is holding, storing or using personal data will be required to comply with the new rules. The regulation includes several significant new obligations, under the regulation, the fact that an enterprise is compliant is not sufficient, in addition, it would need to demonstrate that it is compliant.

The regulation seems to allow micro and small businesses (SMEs) some concessions in a way of documentation and record keeping in relation to information processed, if the controller or processor is an enterprise or organisation with fewer than 250 employees – unless the processing is likely to result in a risk for the rights and freedoms of the data subject, the processing is not occasional, or it includes special categories of data.

This provision still requires SMEs to consider the risks to data subjects in their business processing. This could be a game changer to SMEs’ business practice, particularly sectors engaged in economic activities involving the processing of personal data in the field of insurances, tourism, health, and other organisations providing services and/or products.

Public authorities have a legal obligation to appoint a Data Protection Officer (DPO). Initially, the GDPR text did include an exemption for SMEs based on the threshold as to whether a business processes personal data of more than 5,000 data subjects, but this brought a lot of criticism.

Ultimately, all thresholds based on numbers were removed during the Trilogue discussions and so the GDPR has no SME exemption regarding DPOs. The proposal to include a high-risk qualification was also removed. It was finally decided that all businesses including SMEs will need a DPO where: the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.

SMEs that have been unaffected by data protection laws in the past will still need to ensure they comply with the new regulation

SMEs that have been unaffected by data protection laws in the past will still need to ensure they comply with the new regulation. This requirement may be a burden for SMEs, but this too has been given some leeway by the regulation, in that SMEs may appoint an internal or external DPO. The role can be on a part-time basis, but the DPO must act in an independent manner, and empowered to report directly to the board without any interference. What is important is that the appointed person has expert knowledge of data protection laws and practices to ensure compliance with the regulation.

Micro and small businesses that are in the gaming, technological development and digital business industry have some challenges ahead. SMEs should assess their business processing and activities and determine whether they will be required to carry out a Privacy Impact Assessment (PIA).

Other business processes, especially for marketing purposes and other online business transactions, will be affected by the regulation, use of telephone, mobile apps, websites, e-mail or other electronic tools and applications to promote services or products. SMEs will still need to consider the organisational and technical measures in place, not just in relation to security risk assessments, but also the implementation of controls to ensure personal data is protected, including documented privacy impact assessments. These are now mandatory where new processing operations are likely to result in a high risk to the rights and freedoms data subjects and the specification of measures required to reduce that risk, (including the potential need to seek prior approval from a supervisory authority in some cases).

The regulation encourages data controllers and processors to take a risk-based approach. SMEs with fewer employees may be less complex and at a minimum level risk to the privacy of Maltese and EU citizens than a larger organisation with numerous processing activities and larger databases. But the regulation expects all controllers and processors to take a more proactive approach to DP and privacy.

Over the next year data controllers would need to review all business processing including but not limited to their supplier contracts to ensure they are compliant with the new regulations, but data processors will also, as unlike the Data Protection Directive 95/46/EC, for the first time have direct responsibilities under GDPR.

It is important that any businesses that collects, processes or stores personal data is aware of the impact that the regulation will have, and that their business processing is compliant. Recital 132 of the GDPR (EU) 2016/679 specifically states: “Awareness-raising activities by supervisory authorities (IDPC) addressed to the public should include specific measures directed at controllers and processors, including micro, small and medium-sized enterprises, as well as natural persons in particular in the educational context.” Although recitals are not binding per se, it is expected that the supervisory authority provides further clarity and guidance on the new regulation.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.