After nearly five years of preparation and intense negotiations, the EU General Data Protection Regulation was formally adopted by the European Parliament on 14 April 2016. A new and final text of the regulation was published a week earlier. The regulation introduces new European data protection rules that directly apply in all EU member states. It strengthens existing obligations to modernise the current data protection framework. The regulation will also apply to organisations not established in the EU if they process personal data of data subjects in the EU in relation to offering them goods or services to those subjects or monitoring their behaviour.

It is key for companies to immediately begin reviewing their operations that involve collecting and processing personal data, and to implement the new data protection requirements before the regulation becomes applicable in spring 2018. The new enforcement powers of national data protection authorities and the potentially high sanctions are some of the reasons for ensuring compliance with new data protection standards in the EU.

The new General Data Protection Regulation (GDPR) has passed the finish line. Following formal adoption by the Council of the European Union on 8 April 2016, the European Parliament finalised the legislative process on 14 April 2016 by voting in favour of adopting the GDPR in a plenary session. The new rules are expected to be directly applicable in each EU Member State as of spring 2018.

The GDPR’s aim is to update and modernise the existing data protection rules. The most important changes to the current EU Data Protection Directive, include amongst others:

  • a risk-based approach to compliance with data protection obligations, with companies having to implement measures reflecting the risks involved in their data processing operations
  • a “one-stop-shop” mechanism for companies and individuals in dealing with national data protection authorities, which means, for instance, that a company active in several member states will in principle only have to deal with a supervisory authority in the member state of its main establishment
  • data protection obligations becoming applicable to both controllers and processors
  • more control for individuals over their personal data, including a new right to data portability
  • expanded requirements to notify individuals about data processing operations in easily accessible and easy to understand form, in clear and plain language
  • introduction of data protection by design and by default
  • new obligations to maintain a detailed record of processing activities and perform data protection impact assessments
  • mandatory appointment of a data protection officer for organisations that process data requiring systematic monitoring of individuals on a large scale or process special categories of personal data
  • mandatory notification of data breaches within 72 hours after the breach was discovered
  • changes to international data transfer rules, including binding corporate rules
  • fines in case of infringement of up to 20 million euro or 4% of annual global turnover
  • a greater role for codes of conduct, establishment of certification mechanisms and data protection seals and marks

On 6 April 2016, the Council released the new text of the GDPR. This updated version does not generally contain any substantial changes compared to previously published texts.

We recommend that companies carefully study the final text of the GDPR and start reviewing their overall data protection compliance. It is important to complete the revision of internal processes, ranging from the collection of personal data to the retention and destruction of data, and to have solid policies and practices in place by spring 2018. These policies and practices should include assessment of risks related to data processing, data security and adequately responding to data breaches, mechanisms for compliant data transfers to third parties, including transfers outside the EEA, compliant privacy policies and notices to individuals, technical measures for implementation of data portability rights, and handling individual’s complaints and data requests. Although the arrival of the new regulation has been expected for over four years, there is still a lot of work to do for most companies that have operations in or directed at Europe.