Technological advancements over the past 25 years have not only transformed our lives but also resulted in significant changes in the manner organisations collect and process personal data. In response to such technological advancements, there was a need to revise existing rules in order to protect the personal data privacy of EU citizens.

In 2016, the EU adopted the General Data Protection Regulation (GDPR) which came into force on May 25, 2018, giving member states two years to fully implement the regulation. The GDPR replaces the EU Data Protection Directive 95/46/EC and is now recognised as law across the EU.

The GDPR defines the key principles that need to be observed by organisations when processing personal data. Organisations are required to process personal data in a lawful, fair and transparent manner. Personal data collected from organisations should be carried out for a specific, explicit and legitimate purpose and the personal data collected must be adequate and limited to what is necessary.

Organisations must define retention periods and have an obligation to take all reasonable steps to ensure that personal data is kept accurate and up to date. Moreover, organisations also have an obligation to safeguard the integrity and confidentiality of personal data by implementing appropriate technical or organisational measures to protect the data from unauthorised access, unlawful processing, as well as accidental loss, destruction or damage.  The GDPR has also introduced the principle of accountability. Organisations are responsible and must be able to demonstrate compliance to the key principles of data processing. Compliance to these principles is fundamental for good data protection practice and failure to comply with these principles may expose organisations to reputational risk, as well as substantial fines.

In addition to the key principles relating to processing of personal data, the GDPR presents organisations with numerous obligations, such as the need to implement privacy by design, maintain records of processing activities, carry out privacy impact assessments, the mandatory reporting of personal data breach incidents to the respective Supervisory Authority and appoint data protection officers, where and if applicable, among other obligations. The GDPR provides individuals, better referred to as data subjects, with several rights.

Data subjects have the right to be informed how organisations are processing their personal data and request access to their personal data. Moreover, in certain circumstances and subject to the conditions laid out in the GDPR, data subjects may request organisations to rectify, erase, restrict or object to the processing of their personal data.

The GDPR has also introduced the right to data portability, whereby data subjects are entitled to request organisations to transmit their personal data to another organisation of their choice. Organisations are required to process data subject requests received within one month from receipt. For this purpose, it is imperative that organisations have proper processes and mechanisms in place to be able to evaluate, validate and process such requests. Employees can aid or undermine organisations’ compliance to GDPR. Knowledge is the first step to compliance. In any organisation, it is imperative that employees are mindful of their individual responsibilities and the potential risks of non-compliance to the regulation. Providing all employees with training is key to enhance awareness and facilitate organisations’ compliance to the regulation.

For a more detailed overview of organisations’ obligations vis-à-vis GDPR, please join us for a one-hour webinar on January 28 at 2.30pm. This webinar is targeted at employees handling and processing personal data.

The event will be CPE accredited by the MIA and participation is at a fee of €40 (including VAT). More information available online and to register for all sessions contact events@mt.ey.com. 

Jason Grech, EY Malta consulting senior manager