The General Data Protection Regulation (“GDPR”) which will apply from 25 May 2018, replaces the existing legal regime under the 1995 Data Protection Directive 95/46/EC. It directly effects each of the existing 28 member states (including the UK) and therefore standardises and enhances the data protection framework across the EU region.
The GDPR is the most radical reform of Data Protection rules in over 20 years and organisations have just over 12 months to implement new policies and procedures in preparation for the incoming changes.
Although the key principles of data protection remain the same, protections for data subjects have been increased given the growing trend in cybercrime and data protection threats.
Companies preparing for the GDPR should be particularly aware of the following key changes:
Increased Territorial Scope
Companies should be aware that the GDPR imposes obligations on data processors and controllers based outside the EU who provide good and services to, or monitor EU residents. Companies should ensure that their policies are updated to reflect the new territorial provisions, particularly those based outside the EU or with non-EU subsidiaries who control or process data belonging to subjects within the EU.
Increased obligations on Data Processors
The GDPR imposes statutory obligations directly on data processors for the first time. This means that they can be directly targeted and face sanctions for data breaches.
Companies and organisations should review and amend all data processing contracts in line with these changes prior to May 2018.
Increased Accountability Measures
The GDPR imposes an increased obligation on data controllers to be able to demonstrate how they comply with data protection principles. This requirement includes keeping records of all data processed by a processor so that it is open to examination by the supervisory authority. Companies will have to review their record retention policies now to ensure compliance by May 2018.
Data Protection Officers
The GDPR requires the designation of a 'data protection officer' for some organisations. Organisations requiring DPOs include public authorities and organisations who carry out large scale monitoring of data subjects who process what is currently known as ‘sensitive personal data’ and ‘special categories of personal data’.
The conditions for consent have been strengthened meaning companies now have to request consent for access to personal data in an intelligible and easily accessible form, plainly stating the purpose of the data processing. Consent must be provided in an intelligible and easily accessible form, using clear and plain language. It must be as easy to withdraw consent as it is to give it.
Breach Notification Obligations
Unlike the Directive, which was silent on the issue of data breach, the GDPR contains a definition of ‘personal data breach’ and notification requirements to both the regulator (the Data Protection Commissioner) and any affected data subjects with strict time limits.
Civil Liability and Damages
Data subjects can sue both controllers and processors for “full and effective compensation” for pecuniary or non-pecuniary damage suffered as a result of a personal data breach under the GDPR.
The GDPR has increased fines for both data controllers and data processors who are prosecuted for data protection breaches. The GDPR introduces a two-tier structure for sanctions, with a potential for fines of up to €20,000,000 or 4% of the annual worldwide turnover of the non-compliant company, whichever is greater. The GDPR notes that national law should prescribe a system of “effective, proportionate and dissuasive” penalties, whether these be criminal or administrative. As a result, it is open to national legislators to introduce implementing legislation which will serve to broaden the scope of the sanctions regime in the GDPR.
Key Actions to prepare for GDPR
- Review all personal data held by your organisation.
- Ensure you are able to demonstrate compliance.
- Maintain detailed processing records.
- Review and update all data privacy notices.
- Review your internal policies and procedures:
- New procedures will be required to deal with the GDPR’s new transparency and individuals’ rights provisions.
- In a large business this could have significant budgetary, IT, personnel, governance and communications implications.
- Implement internal policies and measures which take into account Privacy by Design and by Default.
- Spread awareness of the GDPR in your organisation.
- Companies should particularly use the next 12 months to raise awareness of the changes that are coming and invest in company-wide training.
- Establishing data protection as a cultural feature of your organisation will be critical in ensuring compliance in the long term.
- Implement training and review checklists for data protection.
- Implement internal breach notification procedures and incident response plans.
- Allocate responsibility and budget for data protection compliance.
- Identify and train the Data Protection Officer.
It is clear that the GDPR leaves a great deal for companies to consider in advance of its implementation. The developments with ‘Brexit’ will need to be monitored in terms of what data protection rules will ultimately end up applying to companies with operations in the UK. Whilst there is business uncertainty as to whether there will be divergence in data protection standards post-Brexit between the UK and the rest of Europe, Ireland will retain the EU standards. These factors will need to be considered in terms of warehousing data and compliance between jurisdictions.