Martin Zahariev is a Trade Mark and Design Attorney at the Patent Office of the Republic of Bulgaria, as well as a European Trade Mark and Design Attorney. He specialises in intellectual property litigation, domain names disputes, privacy, and arbitration. Martin Zahariev has an educational and scientific degree PhD in the professional field of "Public Communications and Information Sciences" at the University of Library and Information Technology (ULSIT), Sofia. His doctoral dissertation is entitled "Organisation and management of automated profiling in the context of personal data protection".
How do you consider GDPR will affect the use of personal data in organisations?
The general understanding recently emerging in society is that the new General Data Protection Regulation (GDPR in brief) in a revolutionary and inexplicable manner creates new or regulates anew existing personal data protection rules. I would like to denounce this misconception. For instance, Bulgaria has its data protection legal framework since 2002, when the Personal Data Protection Act was adopted. And this reflection is valid for the rest of the Member States as well. The Bulgarian data protection legislation, which is currently in force, is in compliance with the legislative achievements of the European Union. Therefore, all organisations that observe the applicable personal data protection rules have a solid foundation to further develop and upgrade their processes in order to meet the new GDPR requirements.
Back to your question – First, GDPR will equalize the personal data protection regime in EU. Currently 28 different national data protection regimes apply in the Union. Such fragmentation creates insecurity for all stakeholders – businesses, public bodies, citizens. We can all agree that nowadays the general way of processing data, including personal one, is by electronic means. Due to the capacities of the Internet and modern information and communication technologies, a large part of the personal data processing is performed beyond national borders. As an example a group of companies with offices in Bulgaria, France, Germany – if data exchange within the group is required for the purpose of general operational management (e.g. exchange of staff data), the laws of 3 different jurisdictions shall be observed, which hinders business processes and creates other risks. Therefore, the first and most important benefit of GDPR is the positive impact on organizations that it has due to the predictability of a single unified personal data protection regime.
Second, the new principle of “accountability” is of key importance to understanding GDPR. Organisation which process personal data shall be liable and should be able at any time to prove that they observe GDPR requirements. This implies that they should maintain records of all activities performed within the company, which are related to personal data processing. This principle corresponds to the requirement for data processors (regardless of whether they are controllers or processors under the Regulation) to maintain written records of their processing activities. The underlying purpose of maintaining such records is to supersede the currently mandatory registration at the data protection authority, (which according to GDPR creates administrative and financial burden, while not always contributing to better personal data protection), by introducing effective procedures and mechanisms focused on processing operations which involve risks. GDPR excludes micro-, small and medium-sized enterprises from this obligation. With a view to the principle of accountability, however, it would be practical to keep records of the processing operations for the purposes of subsequent check-ups.
The envisaged changes in GDPR concern one of the basic grounds for personal data processing – the consent. Consent shall be given by the data subject, by a clear affirmative action indicating freely given, specific, informed and unambiguous agreement to the processing of personal data relating to the data subject. The mere silence, pre-ticked boxes or omissions should not constitute consent. If the data processing pursues more purposes, consent should be given for each of them. In case the data subject’s consent is to be given following a request addressed in electronic form, the request should be clear, concise, not unnecessarily disrupting the use of the service. The above new requirements undisputedly will affect business, and especially companies providing goods and services by electronic means.
What is actually new in GDPR?
The Regulation introduces some new and unknown so far obligations and participants – for instance, controllers’ obligation to notify the supervisory authorities, and in certain cases – the data subjects – of every data security breach. This obligation will have a definite impact on business in the context of the already frequent cyberattacks, and possibly entailing essential reputational consequences for companies. This emphasizes the importance of introducing appropriate technical and organisational measures to guarantee the security of processed data. GDPR introduces the data protection officer – a data protection expert to advise companies on how the latter should effectively apply personal data protection rules. The data protection officer will be also the contact point for data subjects and supervisory authorities with the company. GDPR sets forth hypotheses where appointment of such person will be mandatory – for example, for public bodies or organisations whose main activities include large-scale processing of special categories of data (data which entail greater risks to the data subjects’ rights, such as racial and ethnic origin, human genome, data pertaining to the health status, etc.) or large-scale surveillance of data subjects. GDPR regulates in more detail the rules and responsibilities of the so called processors will have effect on many services which, though we are hardly aware, require processors – “cloud services”, “colocation services”, etc.
The analysis of GDPR and its importance for organisations will not be complete without mentioning the new sanctions. Even in the currently applicable Personal Data Protection Act in Bulgaria the sanctions are not insignificant – up to BGN 100,000. In GDPR, however, the amounts skyrocket, for particular categories of infringements the maximum amount being either EUR 20,000,000 or 4% of the total worldwide annual turnover of the company for the preceding financial year, whichever of the two amounts is higher. Though these amounts sound shocking, they actually have a positive impact by heightening the sensitivity with respect to personal data protection, and at the same time they show the significance attributed by EU to the right to privacy and personal data protection, which could be regarded as a kind of its reflection.
Which organisations will be critically affected by the implementation of GDPR?
In my opinion, the implementation of GDPR will be equally important for both private and public entities. In fact, in order to properly perform its activities, each business processes personal data of its employees, suppliers, and clients. Even where partnerships involve only legal entities, personal data are also processed, as what stands behind such legal entities are individuals – managers, shareholders, etc. So, GDPR rules shall be observed. Public entities will be seriously affected as well – let’s take for instance their obligation (with a few exceptions for courts) to appoint a data protection officer. At the same time, they will not be allowed to claim legitimate interest as a legal ground for processing data, while performing.
Of course, organisations which will be affected to a considerable extent are the one processing sensitive data (for example, medical institutions), organisations having more than 250, which should maintain records of processing activities, and organisations whose main activity is related to personal data processing.
It is important to mention that organisations established outside EU may be also affected. GDPR explicitly envisages the applicability of its rules to controllers/processors established outside EU, where the processing activities are related to: 1) offering of goods or services to data subjects in the Union, irrespective of whether connected to payment or 2) the monitoring of the behaviour of data subjects in so far as their behaviour takes place within EU.
What actions should be taken to guarantee compliance with GDPR?
First of all, every organisation should answer three important questions – “What kind of data are they processing? Do they need to process such data? What are the legal grounds for processing such data?”. All this requires a detailed analysis and assessment of the processes within the organisation. Only afterwards specific measures could be planned, such as creation or update of the internal personal data protection policies, staff training, optimisation of processes, etc.
What are the new business models to be promoted by the new legal frameworks?
Information is perhaps the most powerful resource nowadays. Therefore, our society is defined as information society. I would dare to paraphrase “Knowledge is power” into “Knowledge is money”. Data, including personal data, have a huge underlying power to make money – from social networks, which are maybe the best example of performing successful personal data marketing, through the various mobile applications we are using all the time, to intelligent robots, automobiles, cities using the computing power of artificial intelligence - all are expected to revolutionise our lifestyle. GDPR acknowledges the huge power of processing of personal data and states that such processing should be designed to serve mankind. In this regard, one of the GDPR purposes is to provide individuals with better control on their personal data. In this sense, the new legal framework will encourage organisations which process personal data transparently and in good faith, treating data subjects’ rights with the due care. Models, such as privacy by default and privacy by design, will be promoted, as well as the use of instruments, such as pseudonymisation and encryption.