The EU General Data Protection Regulation ("GDPR") is now in force, and the clock is officially ticking for businesses to bring their operations into line with its sweeping changes.
On 4 May 2016, after more than four years of drafts, discussions and negotiations, the GDPR was published in the Official Journal of the EU (see our previous alert). In line with the provisions of Article 99 of the GDPR, the GDPR came into force on 24 May 2016, with the start of enforcement against businesses now less than two years away.
Which businesses are affected?
The GDPR applies to all businesses (regardless of economic sector or business activity) that:
- are established in the EU, or otherwise subject to EU law; or
- are established outside the EU, but are either: (i) offering goods or services to EU residents; or (ii) monitoring the behaviour of EU residents.
This significant expansion in scope means that the GDPR will be binding upon many businesses that were not subject to the existing EU data protection regime.
What are the key changes for businesses?
The GDPR brings significant changes to EU data protection law, many of which greatly impact businesses. Examples of the key changes include:
- Significant new fines: The consequences of breaching the GDPR escalate dramatically under the GDPR, which sets the maximum fine for a single breach at the greater of €20 million or 4% of annual global turnover. These numbers are deliberately high, and are intended to attract board-level attention to data protection compliance matters.
- Consent: Consent becomes harder for businesses to obtain and to rely on. Notably, the GDPR states that consent is not valid where there is a ‘clear imbalance’ between the controller and data subject. Consent will always have to involve a 'clear affirmative action', which will typically mean opt-in consent, whereas, under the existing regime, opt-out consent is sometimes sufficient.
- Data breach reporting: The GDPR requires businesses to report data breaches to the relevant DPA within 72 hours of detection. For most organisations, radical changes to internal reporting structures will be needed in order to meet this deadline.
- Direct compliance requirements for data processors: In a marked departure from the existing law, the GDPR imposes direct legal compliance obligations on processors. Consequently, businesses that act as processors (e.g., outsourced service providers) may face enforcement action from EU Data Protection Authorities ("DPAs").
- Stronger rights for data subjects: Under the GDPR, some of the rights granted to data subjects are strengthened (e.g., the right to object to processing of personal data about them) and new rights are created (e.g., the right to data portability). These rights may limit the ability of businesses to lawfully process personal data, and as a result, may mean that businesses face additional compliance challenges.
- The 'one-stop-shop': Businesses established in multiple Member States may benefit from having a single ‘lead DPA’. In most cases, such a business would only interact with its ‘lead DPA’ on data protection matters, and could avoid having to deal with multiple DPAs across the EU. This is a potentially significant improvement for businesses that currently face inconsistent enforcement positions from DPAs across the EU.
- Increased harmonisation: Under the GDPR, organisations face more consistent compliance requirements across the EU. However, organisations should bear in mind that national variations will persist in some areas (e.g., national security, employment law and freedom of speech). Consequently, while the GDPR will mean that businesses face a more consistent set of data protection laws from one EU Member State to the next, national variations will persist in some areas.
What should businesses do to prepare?
Entry into force of the GDPR is followed by an effective two-year grace period, meaning that enforcement will not begin until 25 May 2018. Existing national data protection laws will continue to apply until that date. However, businesses will need to use this two-year window wisely. It is important to allocate sufficient time and resources to ensure that compliance with the GDPR is achieved before the enforcement deadline. Now is the time for those businesses that have not done so already to start bringing their operations into line with its sweeping changes. France is already in the process of introducing legislation to implement fines consistent with those in the GDPR immediately, rather than waiting for the GDPR to become enforceable, and it is conceivable that other Member States may follow suit.
Audrey Oh, a Trainee Solicitor at White & Case, assisted in the development of this publication.