GDPR and its implicationsThe EU General Data Protection Regulations (GDPR - Regulation (EU) 2016/679) is set to take effect as from 25th May 2018, thereby replacing the Data Protection Directive 95/46/EC. The aim of this regulation is to strengthen data privacy and protect all EU citizens and residents from any data breaches that may occur. Concurrently, this will affect organisations processing data of EU citizens and residents and non-compliance will result in heavy fines, amounting to $20 million or accounting for 4% of annual global turnover (whichever is higher). With data being considered as the world?s most valuable resource and the enormous volumes of data being processed and generated in the digital age, the challenges to protect data privacy are as significant as the implications of the Regulation.
For Mauritius, the Data Protection Act (DPA) 2004 provides for the protection of personal data of individuals/data subjects with regards to the techniques used to capture, transmit, manipulate, handle, process, record or store data. In order to align with the GDPR and to fit in the digital environment, the DPA 2004 was repealed and replaced by the Data Protection Act 2017 (the ?Act?), with effect as from the 15th of January 2018.
Implications of GDPR on business:
- Increased Territorial Scope (extra-territorial applicability)
- Organisations processing personal data of EU citizens and residents will need to comply to the GDPR and that too, irrespective of their geographic location. In particular, it will apply to data controllers and data processors in the EU or worldwide handling personal data of EU data subjects. Non-EU businesses, controllers and processors whose activities range from offering products or services to EU citizens and residents to the monitoring of their behaviour, will need to nominate a representative in the EU.
- A maximum fine of $20 million or 4% of global turnover (whichever is higher) can be imposed on organisations for non-compliance. According to Article 28, a company can be charged a fine of 2% for non-conformance of records, for not notifying the supervising authority and the data subject about a breach or for not conducting an impact assessment. The GDPR also extends to data hosted on the cloud.
- The terms for consent have been made simple, without legal and technical jargon. The request for consent needs to be given in an ?intelligible and easily accessible form?. The purpose of data processing needs to be attached to the consent. Data subjects should be able to give and withdraw consent easily.
Data Subject Rights
- Breach Notification
- Any data breach needs to be reported/notified to the data subjects, data controllers and the supervising authority within 72 hours
- Right to Access
- Data subjects have the right to request for a confirmation as to when and for which purpose their personal data are being processed. The data controller is required to provide a copy of the personal data held by them in an electronic format.
- Right to be Forgotten or Data Erasure
- Upon request, the data controller is obliged to erase all personal data of a data subject and cease further dissemination of the data. Furthermore, they need to stop third parties having access to the same personal data from processing the same.
- Data Portability
- With the right to access to their data, data subjects are also entitled to the right of transmitting that data to another controller
- Privacy by Design
- Article 23 stipulates that data controllers need to hold and process only data that is necessary and relevant to its purpose. It further ?limits the access to personal data to those needing to act out the processing?
- Data Protection Officers
- The GDPR call for internal record keeping requirements. A Data Protection Officer will need to be appointed, based on his/her level of expertise on data protection laws and practices. He/she can be in-house member of the staff or an external service provider and their contact details provided to the relevant Data Protection Authority. This applies to public authorities, to organisations processing large-scale systematic monitoring and those processing large-scale sensitive personal data.
Its implications for MauritiusWith extra-territorial applicability, Mauritius is bound by the GDPR, i.e., it applies to any data controller/processor processing personal data of EU citizens and residents GDPR works on both ends; for a data controller/processor based in a member state of the EU and who processes data of a Mauritian citizen The personal data of an EU citizen and resident will not be transferable to a country not abiding to a similar regulation
The Data Protection Act 2017 aims at aligning with the GDPR and simultaneously fostering a business-friendly environment by attracting foreign direct investment. This regulatory framework will further strengthen the ties between Europe and Mauritius. The amendment of the principles will ensure transparency and reassure data subjects of the ?good? purpose of their data by controllers/processors.
Principles relating to processing of personal dataEvery controller or processor shall ensure that personal data are:
- processed lawfully, fairly and in a transparent manner in relation to any data subject;
- collected for explicit, specified and legitimate purposes and not further processed in a manner incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date, with every reasonable step being taken to ensure that any inaccurate personal data are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
- processed in accordance with the rights of data subjects.
Data protection impact assessmentsEvery controller/processor must conduct a data protection impact assessment prior to any processing of sensitive data that likely involve high risks to the privacy of data subjects. The assessment consists of the measures in place to address the risks along with the safeguards, security measures, infrastructure and mechanisms implemented for the protection of personal data.
A controller/processor needs to follow a set of instructions prior to the time and adoption of the means for processing data:
- set up the proper technical and security measures for the prevention of unauthorised access to, the alteration of, the disclosure of, the accidental loss of, and the destruction of the data under his/her control
- ensure that a proper security level is in place in the event of circumstances described under 1.
In terms of security and organisational measures, the following are being implemented:
- the pseudonymisation and encryption of personal data
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
Sources and further reading:
- GDPR official website: www.eugdpr.org
- Mauritius Updates Its Data Protection Legislation To Be In Line With GDPR: http://www.mondaq.com/x/686402/data+protection/Mauritius+updates+its+Data+Protection+legislation
"pseudonymisation" means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information and the additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable individual