To mark Data Protection Day, this is a briefing on the most significant development in data protection law in recent times; the agreement of the wording for the General Data Protection Regulation. When it comes into force (approximately two years from now) the GDPR will update and overhaul European data protection law. While many fundamental concepts and principles will remain broadly the same, the GDPR provides for important changes (summarised below) which will have significant impacts on how personal information is collected and used and the scope of European data protection law. Any businesses or organisations who have not already considered the implications of the GDPR for their activities and plans would be well advised to start doing so now.
Scope - application outside the EU
The GDPR will apply to all data controllers and data processors within the EU and to data controllers and data processors based outside the EU that offer goods or services within the EU.
Lead supervisory authority
The “lead supervisory authority” of a data controller or data processor will be determined by where their main establishment in the EU is located. There will no longer be a “one-stop shop”, as was envisaged in earlier drafts of the GDPR. Instead, undertakings may be subject to the jurisdiction of more than one supervisory authority and the lead supervisory authority may often be required to consult with other supervisory authorities.
European Data Protection Board
The GDPR will create a new body, the European Data Protection Board (the “EDPB”). The EDPB will replace the Article 29 Working Party and will have more extensive responsibilities and powers, including the power to issue legally binding decisions to supervisory authorities.
Extended rights for individuals
The GDPR focuses on giving individuals more control over their personal data. In addition to existing rights, such as the rights of access and rectification, it provides for a new data portability right and more explicit conditions regarding profiling. The ‘right to be forgotten’ will also be explicitly set out in the GDPR.
Data controllers will be obliged to implement data protection policies, to keep records of their processing and, subject to some exceptions, to designate a data protection officer to monitor compliance with the GDPR. Data protection impact assessments will be mandatory where there is a high risk to individuals and, in particular, where new technologies are being used for processing personal data.
Security breach notification obligations
A data controller will be obliged to inform the relevant supervisory authority of a personal data security breach as soon as possible and, “where feasible”, not later than 72 hours after becoming aware of the breach. The data controller might also be required to inform the affected data subjects where there is a high risk to the individuals’ rights.
Codes of conduct and certification
The GDPR envisages the adoption of codes of conduct and the development of methods of certification of compliance in order to assist with the proper application of the GDPR.
Failure to comply with the GDPR may give rise to liability to administrative fines of up to €20 million or 4% of total worldwide annual turnover of the relevant undertaking. Supervisory authorities must ensure that fines imposed are “effective, proportionate and dissuasive”.
Data controllers and data processors may be liable to individuals for damage caused by a breach of the GDPR. A single undertaking may be jointly liable for breaches by other entities involved in the relevant processing, however a court will be entitled to apportion compensation by taking into account the culpability of the relevant data controller(s) and data processor(s).
The GDPR will introduce a new concept of pseudonymisation which involves the processing of personal data in such a way that it cannot be used to identify an individual without additional information. Pseudonymisation will be encouraged in the processing of data. Although pseudonymisation is not, of itself, a new concept, this will be the first time it has been enshrined expressly in data protection legislation applicable to Ireland.