LEGAL VIEWPOINT: General Data Protection Regulation (GDPR) by Dr AbdelGadir Warsama Ghalib, Legal Counsel, Bahrain

Dr AbdelGadir Warsama Ghalib, Legal Counsel

There is a lot of talk during past weeks about GDPR. What is GDPR, the General Data Protection Regulation? Why GDPR and how it affects you and your business? Who issued GDPR and why? Many other endless questions.

Asia 728x90

In brief, the General Data Protection Regulation (GDPR), is a new privacy regulation issued by the European Union (EU) to give individuals therein control over their data (personal data). Privacy is of paramount importance and is protected by valid Constitutions in addition to other laws. Others could trespass your privacy using electronic means, as the IT revolution covers each part of our dealings. Based on this, many are cautious about their privacy and data protection, since IT giants are compromising privacy domain and you can see the stigma associated to “Facebook” due to their breach of duty regarding privacy.

Under GDPR, organizations, entities and companies are required to respect data and ensure that personal data is gathered legally and under strict conditions. GDPR, is already in effect since 25 May 2018 and all concerned worldwide are in full compliance in applying the GDPR provisions as and whenever applicable.

GDPR addresses entities and companies handling personal data of individuals in EU regardless of the residence of the entity or company, so being in the Gulf or Asia or Rome or London is irrelevant and is not a defense for accountability.  As per the regulation, entities and companies must obtain the explicit consent of the consumer client to be able to process the data. The required consent must be “freely given, specific, informed, and unambiguous indication of the individual’s wishes….”.

To achieve this, there must be some form of clear affirmative direct action, in other words, instances of positive opt-in consent cannot be inferred from mere silence, pre-ticked boxes or inactivity. The consent from clients, must be separate from other terms and conditions, and always you need to provide simple ways for clients to withdraw their consent at any time. Public authorities and employers are required to take care to ensure that consent is freely given by the concerned. Moreover, the consent has to be verifiable, and individuals generally have more rights where you rely on a consent to process their data.

Entities and companies everywhere are in need to take immediate steps to comply with the EU new GDPR otherwise there is great risk of paying heavy fines. This sensitive issue must categorically be taken seriously by all concerned to streamline the process of maintaining the personal data of each client. GDPR creates some new individual rights and strengthens some of the rights currently existing. However, the EU new GDPR provides for many rights for individuals including, among other things, the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, rights in relation to automated decision making and profiling… All such rights are to be protected so as to maintain the privacy of the personal data. The GDPR includes provisions that promote accountability and governance. These complement the GDPR’s transparency requirements. While the principles of accountability and transparency have previously been implicit requirements of data protection law, the GDPR’s emphasis elevates their significance very clearly.

You are expected to put into place comprehensive but proportionate governance measures. Ultimately, these measures should minimize the risk of breaches and uphold the protection of personal data. Practically, this is likely to mean more policies and procedures for organizations, although many organizations already have good governance measures.

The new accountability principle in GDPR, requires all to demonstrate that they comply with the principles and to state explicitly that this is their responsibility. A question may arise, how can I demonstrate that I comply?  In this respect, you must, implement appropriate technical and organizational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal human resources policies, maintain relevant documentation on processing activities and where appropriate, to appoint a data protection officer for close regular follow-up.… to be continued.