Financial Crime World

Business Obligations Under New Data Protection Act

A new data protection act has been introduced, imposing significant responsibilities on organizations to ensure the lawful and transparent processing of personal data. The act sets out a range of obligations aimed at safeguarding individual rights and freedoms.

Data Protection by Design and by Default

Organizations must incorporate data protection measures from the design phase to ensure that data protection principles are effectively implemented. This includes setting defaults to process only necessary personal data for each specific purpose.

Records of Processing Activities

Companies must maintain detailed written records of their processing activities, including information on:

  • Data categories
  • Recipients
  • Transfers
  • Security measures

These records must be made available to the supervisory authority upon request.

Security of Processing

A thorough risk assessment is essential, considering the state of the art, implementation costs, and the nature of processing. Organizations must select and implement appropriate security measures, such as:

  • Pseudonymization
  • Encryption
  • System resilience
  • Regular testing of security measures

Notification of Personal Data Breach

Organizations must notify the Data Protection Authority of a personal data breach within 72 hours of becoming aware of it. If notification is not feasible within this timeframe, reasons for the delay must be provided. Notifications must include detailed information about:

  • The breach
  • Measures taken

Data Protection Impact Assessment (DPIA)

DPIAs are required for processing likely to result in a high risk to individuals’ rights and freedoms. This includes:

  • Systematic evaluations based on automated processing
  • Large-scale processing of sensitive data
  • Systematic monitoring on a large scale

Designation of Data Protection Officer (DPO)

The organization must appoint a DPO when:

  • Processing is conducted by a public authority or body
  • Core activities involve large-scale, regular, and systematic monitoring of individuals
  • Core activities involve large-scale processing of sensitive data

International Data Transfer

The act sets rules for personal data transfers to third countries outside the EU/EEA, requiring safeguards. While transfers to EU/EEA countries are unrestricted, those to third countries face additional measures to ensure adequate data protection.

Penalty for Violations

Organizations may face a fine or imprisonment for up to six months if they violate various provisions, including:

  • Obligations of data organizations
  • Fundamental principles of processing
  • Rights of individuals

Individuals have the right to complain to the Authority concerning the processing of their data, and organizations are obligated to compensate for damages resulting from unlawful processing.

Compliance Tips

To ensure compliance with the new act, organizations should:

  • Implement processes to ensure personal data is processed lawfully, fairly, and transparently
  • Obtain clear, informed, specific, and unambiguous consent for processing personal data
  • Maintain records demonstrating valid consent
  • Inform individuals about their right to withdraw consent and facilitate easy withdrawal
  • Establish processes for fulfilling data subject rights
  • Implement Privacy by Design and by Default principles
  • Maintain detailed records of processing activities and make them available for audit
  • Implement security measures to protect personal data
  • Notify the Data Protection Authority of personal data breaches within 72 hours
  • Conduct DPIAs for high-risk processing activities
  • Appoint a DPO if your organization meets the criteria outlined in the act
  • Seek appropriate safeguards or derogations for transfers to third countries.