On 14 April 2016, the EU Parliament adopted the long awaited General Data Protection Regulation (GDPR). The Regulation will have a considerable impact on all organisations based in the European Union that process personal data, but also on organisations based outside of Europe providing services to the European market.
The GDPR is expected to be published in the Official Journal of the European Union by June, and 20 days after publication the GDPR will enter into force. From that moment onwards, the clock starts running: companies will have two years to prepare themselves to comply with the GDPR.
The GDPR replaces the current European data protection regime consisting of the 1995 Data Protection Directive and 28 national data protection laws. The GDPR will be directly applicable in every EU Member State, without the necessity of national implementing laws.
The Regulation contains many key changes, such as:
- Harmonisation: There will be a single set of rules on data protection, directly applicable in all EU Member States, thereby mitigating the current fragmentation of national data protection laws.
- Stronger Enforcement: Non-compliance could lead to heavier sanctions. The revised enforcement regime is underpinned by power for regulators to levy financial sanctions of up to 4% of the annual worldwide turnover of the organisation.
- Off Shore Processing: The GDPR will apply to companies established outside the EU that process data related to the activities of EU organisations. Non-EU companies will also be subject to the Regulation if they target EU residents by profiling, or proposing products or services.
- Governance: Organisations will have increased responsibility and accountability on how they control and process personal data.
- Consent: The Regulation requires a more active consent based model to support lawful processing of personal data; wherever consent is required for data to be processed, consent must be explicit, rather than implied.
- Transparency: Organisations will have increased transparency obligations; privacy notices will need to include much more detailed information.
- Data Breaches: Organisations will be required to notify the local supervisory authority, and (in some cases) data subjects, of significant data breaches.
- Data Portability: Organisations must ensure data subjects can easily transfer their data files from one service provider to another.
- Right To Be Forgotten: The GDPR consecrates the “right to be forgotten”, allowing data subjects the right to require a controller to delete data files relating to them if there are no legitimate grounds for retaining it.
- Data Processors: Organisations processing data on behalf of other companies will be required to comply with a number of specific data protection related obligations. They will be liable to sanctions if they fail to meet these criteria.
- Data Protection Officer: Companies will have to appoint a Data Protection Officer when they are, for example, processing sensitive data. The DPO will report to the highest management level.
- One-Stop-Shop: A single national data protection authority will act as the lead regulator for compliance issues in the EU, where the organisation has multiple points of presence across the EU.
- Privacy Impact Assessment: A PIA will become a mandatory pre-requisite before processing personal data for operations that are likely to present higher privacy risks to data subjects due to the nature or scope of the processing operation.
- Privacy By Design & Privacy By Default: Companies must take privacy risk into account throughout the process of designing a new product or service, and adopt mechanisms to ensure that, by default, minimal personal data is collected, used and retained. An approved certification mechanism can be used to demonstrate compliance with the applicable requirements.
It should be noted, the 2002 E-Privacy Directive regulating cookies and spam remains in place and is currently under review. Organisations should continue to follow national rules on cookies and spam.