EU have prepared new regulation which will repeal Directive 95/46/EC and will go into force in all EU member countries in May 2018. New tightened rules concerning processing of personal data and its controller should be known to all entrepreneurs and business processes should be adjusted to this regulation.
Due to its legal nature, EU Regulation will be applied without need to implementing it. The regulations provide for data administrators a number of new obligations and responsibilities. A key new feature of the regulation is a mechanism for enforcing data controllers to take into account the need to ensure proper protection of personal data at the design phase of a new organizational or technical solution.
Data controller will be required to carry out a data protection impact assessment of the risks to the rights and freedoms of the data subjects to which this business process is addressed. This mechanism is intended to be implemented by the administrator of the security data and is adequate for the nature and scope of the processed personal data and the scale, method and purpose of their processing.
Another obligation of the data controller is the obligation to immediately report a breach of personal data protection to the supervisory authority. It is also important to inform the data subject about the breach of personal data protection in relation to the responsibilities of the controller.
Documentation obligations have been significantly reduced, although they do not disappear completely. New in this area will be the obligation to maintain a register of processing of personal data for which the data controller is responsible.
Rights for the data subjects
Data subjects have more rights they can request. In addition to the already known information rights, data access rights, the right of opposition, the general regulation provides many rights that are novelties. For example:
The right to request copies of processed personal data
“The right to be forgotten”
The right to transfer personal data to another data controller
The right to not be profiled
Obviously, new rights for data subjects are at the same time new responsibilities for data controllers.
Significantly stricter penalties
In order to enforce the obligations provided in the Regulation, the EU legislator provided the possibility of applying administrative penalties. Penalties can be imposed on both data controllers and data processing agents on an order. The competent authority for the imposition of a fine in case of violation of the provisions of the Regulation will be the national supervisory authority.
Determining the amount of the penalty, the supervisory authority will take into account the nature, gravity and duration of the infringement and the behavior of the data controller or data processor. When assessing the controller or the processor, the supervisory authority will take into account the pre-infringement proceeding as well as the actions taken after the infringement has been identified.
New certifying bodies, accredited by the competent authority, will allow data controllers and processors to obtain a certificate on proper data protection and on compliance with the Regulation. However, it will not be necessary.
Obtaining valid consent become more stringent: the consent must be given by a clear confirmation document which means that: silence, pre-ticked boxes or inactivity cannot constitute valid consent. Furthermore, data subjects may always revoke their consent to data processing without any limitation.
Are you interested how protection of personal data will change clinical trials?
Keep checking our news, we will show you soon in our upcoming article.