Data protection: What to expect?

On 25 May 2018, radical changes will be introduced regarding the protection of personal data for all European citizens. A new European Regulation that entered into force on 24 May 2016 – but which is applicable two years later – aims to protect the fundamental rights of European citizens in our increasingly digital world.  Until now, we thought that our private data was safe by using “pseudonymisation”. But with big data analysis and predictive algorithms, that is no longer true.

What’s at stake for businesses 

This reform involves extensive changes and complying with all of the new rules will present a challenge. The explicit consent of individuals must be obtained before their data can be used for a given purpose.  Data collection is only authorised to serve the “legitimate interests” of the organisation, in connection with its primary business activity. The right to rectify and delete data and to “be forgotten” must be integrated into data processing procedures, and customers must be informed if a data breach occurs. A Data Protection Officer has to be appointed who is responsible for ensuring that the documents that define how data is processed are compliant and that data protection laws are respected.
Finally, the concept of “privacy by design” has to be introduced. This means that data privacy protection must be directly integrated within the design of computer networks and systems for data processing and how they operate. The regulator (the National Commission for Data Protection, or CNPD in Luxembourg) will be given extensive powers and will be able to issue significant penalties to offenders.

This is an opportunity for economic players to show that they are trustworthy enough to keep their clients’ personal data safe and join the worldwide digital market amongst the United States and other major competitors.

What are the benefits for the public?  

The public will benefit from being better informed on how their personal data is being used and, above all, they will have full control through the following measures:

  • The right to “be forgotten”: Individuals can ask to have their personal data erased, as long as there is no legitimate reason for the information to be kept,
  • Explicit consent: The individuals concerned must give clear and explicit consent to the processing of their personal data,
  • Data portability: Personal data will be easier to transfer from one service provider to another,
  • The right to be informed in clear, plain language,
  • The right to be informed if there is a breach of data security,
  • Clear limits to the practice of profiling: Profiling – a technique used to analyse or predict the behaviour of an individual by processing their personal data – is generally only allowed with the person’s consent.
  • Extra protection for children: The new rules provide extra protection for children, who are less aware of the risks and consequences involved when they share their personal data.

These up-to-date, simplified regulations are an important step towards encouraging the development of the digital single market, ensuring that the European Union remains competitive and in a position to protect the rights and interests of European citizens and businesses.

For more information, visit www.cnpd.lu

Articles that might interest you