GDPR

The EU’s General Data Protection Regulation (‘GDPR’) has been in effect since the 25th of May, 2018. With its introduction, it replaced the old Data Protection Directive along with conflicting member state legislation.

GDPR is extensive and complex, affecting organisations that hold (control) and analyse or use (process) data of EU residents. Because of its wide scope, most businesses are impacted by its provisions.

Talk to our Lawyers

Fines

GDPR brings with it the possibility of hefty fines. These are divided into 2 categories. For smaller breaches, up to €10.000.000 or 2% of an organisation’s yearly revenue; double that amount for the more serious breaches. In both cases, whichever amount is higher will be chosen.

Increased reach

With the new regulation any organisation that processes the personal data of individuals in the EU is within the scope of the GDPR, no matter where this organisation is located. So even if the EU resident's personal data is processed outside the EU or by a non-EU company, the GDPR still applies.

Consent requirements

The GDPR has updated the requirements for consent. Under the GDPR, whenever consent is mentioned, it has to be freely given, the subject has to be informed on what specifically is being consented to, the consent request has to be unambiguous and clearly written , and the subject has to be able to withdraw his or her consent at any time.

The right to data access

Every subject/individual has the right to request access to his or her personal data. This includes information about what data the organisation possesses, whether the data is being processed and if so, for what purpose it is being processed and where this is done. Upon request, the subject will receive a free copy of his or her personal data.

The right to be forgotten

Another right the subject has through the GDPR is the right to request erasure of his or her personal data when the data has served its purpose or when consent has been withdrawn. The data subject is also entitled to object to the processing of this data.

The right data portability

Furthermore, the data subject has the right to receive his previously supplied personal data from the controller for transmission to another organisation/service provider.

Privacy by design

When implementing new processes and systems, the GDPR calls for the data protection requirements to be included in the design using appropriate techinical and organisational measures.

The data protection officers

Organisations whose main activities require frequent processing of personal data or who process special categories of especially sensitive personal data or data relating to criminal convictions or offences will have to appoint a data protection officer (DPO).

Risk notification

When personal data gets compromised in a way that ''results in a risk for the rights and freedoms of individuals'', this needs to be reported to the relevant supervisory authority within 72 hours.

What is the significance of the GDPR for companies?

Companies processing personal data now have several obligations which, prior to the coming into force of the GDPR, they did not have. These obligations include, amongst other things:

  • displaying certain information about the personal data they gather and/or store;
  • providing data subjects with specific information in relation to how their personal data is used and what rights they have in this regard;
  • appointing a Data Protection Officer (“DPO”), where the law states that this is required;
  • ensuring that the processing operations they carried out meet certain industry security standards.

It is crucial to note that European companies must implement these regulations regardless of whether their clients are locals or foreigners. Our data protection specialists will advise the company and its representatives of the measures which are needed to ensure that all processing operations are compliant with the GDPR and any other local legislation.

Talk to our Lawyers

Our Services

Our Data Protection specialists have been actively working in this field for several years and have gained invaluable practical knowledge of the ins and outs of this Regulation. We have advised and serviced several prominent organisations in a variety of sectors with regards to data protection and specifically, GDPR compliance. The services we offer include:

  • GDPR Self-Assessment Checklist
  • GDPR Compliance Gap Analysis & Assessments
  • GDPR Compliant Policy & Contract Drafting
  • Assisting in Data Protection Impact Assessments (DPIAs)
  • Outsourced Data Protection Officer (‘DPO’) Services
  • DPO Assistance and Support
  • GDPR Awareness Training
  • Urgent Personal Data Breach Assistance
  • Data Breach Notification Services
Talk to our Lawyers

Meet Our Team of Experts

Our team of experienced professionals is devoted to assisting our clients in succeeding. In a nutshell, clients are first made aware of all their GDPR compliance obligations. This is followed by the creation of a carefully designed plan of action intended to allow the client to, as far as this is possible, continue his regular operations while also fulfilling his Data Protection compliance obligations. We take into account that each client’s circumstances are different and at the same time do our utmost to minimise costs and disruption to the client’s business operations.

Talk to our Lawyers

10 steps that will help your company towards becoming GDPR compliant.

  • Organise your Data: Personal data is information that could be used to identify a person, like a name, surname, phone number, photos, IP address etc. It is very important that you know, what, where and when data is kept.
  • Make sure your Data is secure: Take the extra measures to protect your data, and make sure nobody could leak, hack or misplace that data. Review your risks of your data of getting lost or stolen or else you can use a GDPR software, to automate the operations side of keeping up with the regulations. Speak to us if you wish to know more about our GDPR Auto Software.
  • Do not keep unnecessary Data: Do not hold data that you no longer need.
  • Write a clear fair processing notice: Write a document to explain what data you are going to collect and how you are going to use it.
  • Have a process for providing the information you have on a person: This is also referred to SAR (Subject Access Request) people can ask what info you have on them and you have. provide them with all the information you have on them within 30 days and free of charge.
  • Have a process for deleting data: people can ask to delete all their personal data from all your systems, both physical and electronic. Make sure you have a process to implement these requests
  • Allow people to “positively opt-in” to you storing their data: Make sure you have their consent to use data for marketing purposes.
  • Try a layered opt-in form: This makes it easier for people to understand how you are going to be using their data.
  • Make it easy to opt-out: Make sure people can opt-out of getting emails, SMSes or calls, and you must make sure people do not get more emails, messages or calls once they opt-out.
  • Make sure your team is aware of the new GDPR regulations:  In some cases, you may be obliged to appoint a DPO (Data Protection Officer)
Talk to our Lawyers

Introducing the Ultimate DPO, GDPR Auto

The GDPR Auto software is the only software solution currently available which is capable of addressing all the requirements emanating from the GDPR, starting off from the initial GAP analysis to identify the current short comings, identifying and creating all required policy templates, minimising and cleansing of data, automation of requests for consent if and when required and the overall continuous administration of client requests as well as monitoring retention periods to ensure that no data is kept past its retention period.

Through the initial assessment carried out by the software itself, GDPR Auto will enable enterprises of all types and sizes to be able to carry out fully automated audits which in turn will identify the ideal policies required for the particular type and size of the business in question, which process can all be traced back through an audit trail.

GDRP Auto came about through the merging of talents of Aqubix a leading software house and Michael Kyprianou Malta which provided the legal knowledge and assistance in order to create the ideal GDPR tool. This synergy of talent and knowledge was put to work with the aim of creating a centralised and automated solution which allows entities to shift from manual efforts when it comes to the operation aspects of compliance from a technical perspective to an automated approach which is moulded and centered around the required legal knowledge and expertise needed to properly tackle the requirements of the GDPR in the most efficient and effective way.

This is what Dr. Adrian Mallia from Michael Kyprianou had to say

“Now that GDPR law is in force I meet a lot of companies that have not yet lifted a finger, others that are considering doing something and other that are at the forefront and implemented systems to make sure all their GDPR areas are covered. GDPR is here to Stay and Michael Kyprianou is placed very well in this area as we have a unique product that we can introduce to our customers and help them solve the GDPR challenge and save time and money. As everyone knows GDPR will be about keeping up with the requests and the extra load of working hours on the company. In some cased it will result into increase full time employees by 2 or 3 people just to keep abreast with GDPR.”

Talk to our Lawyers

GDPR Auto Features

  • Embedded Legal Audit / GAP Analysis
  • Data Maps
  • Individual Subjects / Centralised Personal Data Audit
  • Audited Re/Consent in bulk and single subject calls
  • Instant Servicing of SAR and Portability Requests
  • Instant Data Change and Termination Requests with 2FA
  • Central Dashboard and Notifications

In case you are interested, we can provide you with a short demo of the software so that you can understand the benefits of such software. Drop us an email on infomalta@kyprianou.com or give us a call on +356 2016 1010. We would be more than happy to set up a meeting.

Talk to our Lawyers

Subscribe to our newsletter and keep updated with Maltese Law!

Receive the latest from MK Malta and MK Services!