Maria Micallef

Managing Partner, RSM Malta

Maria Micallef is managing partner at RSM Malta. She has extensive experience in servicing local and international companies in M&A, corporate finance, business planning and risk management. She is a visiting lecturer at the University of Malta and provides training courses on risk management and internal audit. Ms Micallef has a B.A. Hons Accountancy degree and is a Certified Public Accountant and a Certified Fraud Examiner. She is a fellow of the Malta Institute of Accountants, a member of the US Institute of Internal Auditors and a member of the Association of Certified Fraud Examiners. She is also a council member of the Malta Institute of Accountants and was its President from 2013 to 2015.


EU wide data protection law finalised

Friday 10th June 2016

Nowadays we are living in an information economy where interaction with individuals is assuming added importance. Technology is enabling organisations to become more relevant by taking a more customised and personal approach. With this digital transformation scenario as a backdrop, the European Union is strengthening data protection for individuals across the union by regulating data privacy through the General Data Protection Regulation (GDPR).

The GDPR took more than four years to be developed, but in April 2016 we now have a final version that is intended to tighten privacy protections for online users. This regulation will replace local data protection laws such as the local Data Protection Act (Cap 440) and subsequent subsidiary legislation.
This is a very important piece of legislation that is intended to strengthen the rights that European citizens have to control their personal data. It will affect almost everyone – natural persons, associations, businesses and the public sector – thus creating awareness about it should not go amiss.

The GDPR addresses all aspects of personal data from private and professional to public life. Data privacy covers anything from the individual’s name, photos, email addresses, bank information, social networking interaction and medical data to a computer’s IP address. The newly adopted Regulation is intended to provide a common set of established privacy standards that are applicable, without the need for transposition, to national legislation. A transitional period of two years is envisaged by which time the regulation shall come into full force.

The Regulation takes a one-stop shop approach for organisations having multiple establishments and operating across a number of Member States. The location of the head office of any organisation determines which lead national authority will act as the single point of reference.

It is not the purpose of this blog to get all technical and go into detail about the provisions and rules contemplated in the Regulation. The purpose is to create awareness and elicit action to deal with this development.

The new obligations on matters such as data subject consent, data anonymization, data breach notification and data portability, to name some, require companies handling EU citizens’ data to undertake major operational changes. Thus, for example, the GDPR stipulates that when technically feasible, organisations should facilitate electronic transfer of personal data from one to another, if the individual requests this. The data portability impact could indeed be large.

The new GDPR introduces the concept of ‘data by design’ intended to make data privacy requirements part of the design and development of business processes for products and services rendered. The rules also widen the territorial scope and stipulate that entities that are not physically located in the EU but sell goods and services to EU residents through the internet have to be compliant with EU rules on the privacy of the residents’ personal data.

The regulation establishes the right of the data subject to be forgotten and the right to erasure of any submitted personal data. Even though in some specific cases the Data Controller may have legitimate reason to retain the data, in most cases the data subject has every right to request removal of data from systems and the Data Controller must issue instructions to any third parties with whom data has been shared to do the same. The GDPR contemplates hefty fines that may go up to €20,000,000 or up to four per cent of the annual global turnover of the preceding financial year, in case of enterprising organisations, whichever is the higher.

As GDPR comes into force in the spring of 2018, organisations need to prepare themselves to ensure a stronger privacy-protection culture through awareness training whilst positioning the privacy function appropriately within the organisational set-up. Privacy rules will change and organisations that deal with information relating to individuals will need to adapt.

Let us not be caught unaware as the consequences of inaction may be unaffordable.