After four years of negotiation, the EU General Data Protection Regulation (GDPR) has finally been agreed. It was given final approval by the European Parliament this morning, Thursday 14 April 2016. The GDPR will replace existing EU and national data protection legislation. Companies have a two year transitionary period to comply with the GDPR, which come into force in Spring 2018.

The Law Enforcement Data Protection Directive (LEPD Directive), which allows for smoother exchange of information between Member States' police and judicial authorities, has also been approved. It is aimed at improving co-operation in the fight against terrorism and other serious crime across the EU.

Background

The GDPR will replace the current EU Data Protection Directive which has been in place since 1995. It will be directly applicable in all 28 Member States without the need for further national implementing legislation. The reform will be beneficial to multinational companies operating across the EU as it introduces a single, pan-European law for data protection, so that companies will deal with one law, not 28. Differences in the way that each Member State implemented the 1995 Directive have led to inconsistencies, legal uncertainty and costs for multinational companies. The GDPR will also strengthen citizens' fundamental rights in the digital age.

Key changes in the GDPR

  • Expanded territorial reach – The GDPR catches data controllers and processors outside the EU whose processing activities relate to the offering of goods or services to, or monitoring the behaviour of, EU data subjects.
  • Broader definition of personal data - The scope of the definition of 'personal data' is broadened to include online identifiers, location data, and IP addresses. In addition, the concept of 'sensitive personal data' has been broadened to include genetic and biometric data.
  • Tougher penalties – Companies will face fines of up to €20 million or 4% of global turnover for non-compliance, whichever is higher.
  • Data breach notification - Companies will be obliged to notify the competent supervisory authority within 72 hours after becoming aware of a data breach.
  • Direct obligations on data processors - Data processors will have direct obligations, including to notify the controller without undue delay of data breaches, and to obtain prior consent to sub-processing and data transfers outside the EEA.
  • One stop shop – Multi-national companies will be subject to enforcement action by one lead supervisory authority, located in the Member State where it has its main establishment, who will work together with concerned supervisory authorities.
  • Onerous accountability obligations – Data controllers will have to demonstrate compliance by maintaining certain documentation; conducting data protection impact assessments, and implementing data protection by design and by default.
  • Appointment of data protection officers - Certain organisations will be required to appoint a data protection officer.
  • Consent – The GDPR requires a data subject's consent to processing of their personal data to be freely given, specific, informed and unambiguous, shown either by a statement or a clear affirmative action which signifies agreement to the processing. Consent must be 'explicit' for sensitive data.
  • Right to data portability - The GDPR will enable individuals to more easily switch between services.

Further information

See our dedicated EU GDPR website

See the European Parliament's press release