Malta: Privacy and Data Protection-related Laws

The GDPR stands for the General Data Protection Regulation and it will come into force on the 25th of May 2018 and will be directly applicable throughout all EU Member states.

Back in January of 2012, the European Commission laid out its plans for a full and comprehensive data protection reform that would be rolled out across the whole of the European Union with the aim of preparing for the digital age.

Nearly four years later, it is almost time for the laws to come into force, but there still appears to be a lot of confusion around what they entail.

‘Every aspect of our lives revolves around data and every kind of company from social media platforms, to banks, to that random furniture company that sends you a newsletter every 3 months, all store our personal information and the GDPR will apply to them.’

The GDPR will apply to every organisation that operates within the EU as well as any organisation that offers their goods or services to customers that are based within an EU member state.

In other words, every big business in the world that has any dealings with EU customers will have to be ready to comply with the GDPR or risk facing big fines.

The scope of the GDPR is huge and it would take a lot of time and space to go into every single nuance of it, but basically, the GDPR will enforce strict laws on how your data is collected, why it is collected, how you consented to its collection and how it is stored. It will also afford you the right for you to request that your data is either amended or removed without facing penalties such as disruption or refusal of service.

Cyber Security Framework

It is compulsory for the Issuer to have a Cyber Security Framework that complies with internationally recognized cyber security standards and be in line with the General Data Protection Regulations (GDPR).

It shall include as a minimum:

Information and data security roles and responsibilities; Access management policy; Sensitive data management policy; Threats management policy; Business continuity plan; Response and recovery plan; and Security education and training.

Record Keeping Facilities

The Issuer has to maintain documents for a minimum of 5 years and must be made available to the MFSA whenever required. It is important that storage is made in a manner that:

Allows MFSA to able to access and reconstitute each key stage of the processing of each transaction; and It must be possible for any documents and subsequent corrections or other amendments to be easily ascertained; It must not be possible for Documents to be manipulated or altered.

I.T. Infrastructure

The Issuer shall ascertain that its I.T. infrastructure ensures:

the integrity and security of any data stored therein; availability, traceability and accessibility of data; and privacy and confidentiality; and is in line with the provisions of the GDPR. The I.T. infrastructure must be located in Malta, EEA member state or a jurisdiction approved by the MFSA. In case that the I.T. infrastructure is not located in Malta or is located in a cloud environment, the Issuer shall ensure that data is replicated real time by virtue of a live replication server located in Malta.

Blockchain Nature vs GDPR

Under some circumstances, the GDPR could be referred to as a Digital Declaration of Rights and whilst its terms are comprehensive and far-reaching in some respects, they have failed to take into account many of the principles of blockchain technology.


Previous Section Next Section

Have a comment, edit, or item to add? Share your thoughts by commenting below!

comments powered by Disqus