Implications of GDPR for Public Administrations

Next May 25^th, the period of two years that the European Union provided to companies and Public Administrations to comply with the new General Data Protection Regulation (GDPR) ends. This Regulation affects any company or organization that manages personal data of EU citizens, regardless of its origin.

In a previous post, we already saw how GDPR influences the opening of personal data. Now is the time to focus on how GDPR affects those administrations and companies that capture and process personal data, whether they are going to publish data or not.

GDPR enhances citizens' rights, which increases responsibilities of the organizations, as we will see next.

Enhancement of citizens' rights

New rights are added to the traditional ones (access, rectification or cancellation). This new rights are related to new technologies or automated information processing. Some examples of these rights are:

• Right to be forgotten. It can be defined as the right of cancellation applied to the internet: it grants the right to prevent the dissemination of personal data if those data do not comply with the adequacy requirements included in the Regulation.
• Right to data portability. A citizen can request copies of their stored information, in a structured, automated and commonly used format, in order to use it for another purpose.

In addition, now, the age of consent for data processing is 13 years old.

Increase of responsibilities of organizations

GDPR includes the concept of accountability, which establishes the obligation to adopt the appropriate technical and organizational measures to ensure European citizens’ rights. The Regulation is not very extensive in terms of process and technology requirements, but it does define a series of "principles" that companies must comply with. Some of this principles are listed below:

• Need to obtain clear and distinguishable consent. This implies the obligation to explain future personal data use and processing in a simple and univocal way.
• Carry out Privacy Impact Assessments before data processing in those cases where it “is likely to result in a high risk to the rights and freedoms of persons”.
• Organizations with more than 250 employees or where processing is not occasional should establish a records of data processing activities.
• Guarantee data privacy by design and by default, which implies that public administrations and companies must review and design their processes, taking into account the security at the beginning and providing high level protection by default. In addition, they must ensure that data collected should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processes.
• Take into account the state of the art. In case of security breach, the organization must justify why they implemented or not certain technologies, based on a state of the art assessment in the terms of context, cost and risk level.
• Notify security breaches to the supervisory authorities, not later than 72 hours after having become aware of it.
• Data Protection Officer becomes a mandatory role for public organizations and companies that engage in large scale systematic monitoring, or process sensitive data (such as ethnic origin, political opinions, religious beliefs or sexual orentation, among others). Teir duties are monitoring, informing and advise, among others.
• The fines for non-compliance reach up to 20 million euros, or 4% of the worldwide annual revenue of the prior financial year – it is not clear how fines will be applied to the Public Administrations -.

Although GDPR includes some additional requirements related to citizens’ rights, as well as new figures and procedures, it should not be considered as a revolution, but as an evolution of the current Data Protection Law, and this is the approach selected by our country uthorities. Government is working on a new Data Protection Organic Law that adapts GDPR changes to Spanish legislation. Regardless of this situation, GDPR will be directly applicable whether or not there is a new national law on May 25th.

For the moment, to help Spanish organizations to understand the changes, the Spanish Agency for Data Protection has published several guides and free tools, both for companies and Public Administrations, which help to make easier the journey towards a better and more efficient data government. An example is the following infographic (the resources are in Spanish).