The wait is over. On 4 May 2016, the General Data Protection Regulation ("the Regulation") was published in the Official Journal of the European Union. Every organisation, both within and outside the European Union ("EU"), controlling and/or processing EU citizens’ personal data must ensure they comply with the provisions of the Regulation by 25 May 2018.
Some of the headlines from the finalised wording are as follows:
- A personal data breach must be notified to the relevant supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the protection of a data subject’s personal data (Article 33).
- Where the personal data breach is likely to result in a “high risk” to the protection of a data subject’s personal data, the controller must notify the breach to the data subject without undue delay unless:
- the data accessed is unintelligible to any person accessing it, e.g. it is encrypted; or the data controller has taken subsequent measures which ensure the high risk to affected data subjects is unlikely to materialise; or
- it would involve disproportionate effort, in which case a public communication or similar measure can be utilised (Article 34).
The ‘one stop shop’
- Where there is a personal data breach affecting data subjects from multiple Member States, the supervisory authorities of all Members States involved will conduct joint operations (Article 62). The supervisory authority in the Member State where the controller or processor’s main establishment is located will act as the lead supervisory authority (Article 56) and will liaise with other supervisory authorities concerned to reach a consensus (Article 60).
- Data subjects will have the right to a judicial remedy if they consider their rights under the Regulation have been infringed before either the courts of (1) the Member State where the controller or processor has an establishment or (2) their habitual residence (Article 79).
- Data subjects will be entitled to receive compensation for both material and non-material damage as a result of an infringement of the Regulation (Article 82).
Fines and penalties
- There is a tiered approach for infringements of the Regulation:
- less serious infringements (as identified) are subject to fines of up to €10m EUR, or in the case of an undertaking up to 2% of global turnover in the preceding financial year, whichever is a higher;
- more serious infringements (as identified) are subject to fines of up to €20m EUR, or in the case of an undertaking up to 4% of global turnover in the preceding financial year, whichever is higher (Article 83).
International transfers of personal data
- Any transfer of personal data for processing outside of the EU can only take place if the provisions of the Regulation are complied with by any ‘outside’ controllers and processors (Article 44).
Global territorial reach
- The Regulation will apply to data controllers and processors outside of the EU processing EU citizens’ personal data and whose processing activities relate to the offering of goods or services or to the monitoring of data subjects’ behaviour (Article 27).
- A data controller must provide the data subject at the time personal data is obtained with information necessary to ensure fair and transparent processing (Article 13).
- Data processors must provide guarantees to data controllers that they will implement technical and organisational measures to meet the requirements of the Regulation and protect the rights of data subjects (Article 28).
Right to be forgotten
- Data subjects have the right to be forgotten in certain circumstances (Article 17).
Privacy by design
- Data controllers are required to implement appropriate measures to be able to demonstrate that processing is performed in accordance with the Regulation (Article 24).
- Data controllers must conduct a data protection impact assessment where data processing gives rise to a high risk to the rights and freedoms of a natural person (Article 35).
The Regulation will undoubtedly have far reaching implications for any organisation controlling and/or processing ‘personal data’ belonging to EU citizens, which is defined broadly as ‘any information relating to an identified or identifiable natural person’, regardless of where in the world the data processing activities are being undertaken.
Organisations will need to assess their data processing regime in light of the Regulation to ensure they are compliant come 25 May 2018, particularly in light of the significant fines which have made it into the final wording. Encryption of personal data wherever possible should be a minimum requirement.
It is of interest that the final wording has settled on a risk-based approach to notification of a data breach. Only breaches likely to give rise to a risk to the protection of personal data belonging to a data subject require notification to the relevant supervisory body. The threshold for notification to data subjects directly is higher still requiring a ‘high risk’ to the protection of personal data.
It is certain, however, that the Regulation will give rise to an increase in data breach notifications. It is well established that the notification process and regulatory investigations can be expensive for organisations. The scope for multi-Member State investigations suggests those costs will only become greater.
The forthcoming Brexit referendum means that, for the time being, from a UK perspective the impact of the Regulation is uncertain. UK organisations processing EU citizens’ personal data, however, will not escape the provisions of the Regulation altogether given its expanded territorial reach regardless of the outcome of the referendum.