After 4 years of negotiation, today the European Parliament adopted the General Data Protection Regulation (“GDPR“). In doing so, it signaled the end of the EU approval process and put businesses on alert that they now have two years to prepare for compliance.
The finalization of the GDPR has implications not only in the EU but globally. Businesses around the world that wish to operate in the EU, provide services and goods to residents in the EU, or monitor the behavior of residents in the EU, will need to comply with the new laws.
The GDPR builds on existing EU privacy laws but includes significant changes which increase the protections already afforded to personal data.
In summary, the key changes include:
- Enforcement: Severe breaches of EU data privacy law will be subject to potential fines of up to 4% of worldwide turnover. In addition, collective actions filed by, for example, consumer associations, will be facilitated which will significantly increase data privacy related litigation.
- Extraterritorial effect: Under the GDPR even companies outside the EU will be affected. Entities located outside the EU that offer goods or services to residents in the EU or that monitor EU residents’ behavior (as far as that behavior takes place within the EU) will be subject to the regulation.
- Increased requirements to notify and ability to object: Companies will have to inform data subjects, e.g. their customers, business partners or employees more specifically about the type of data they collect and how it is used. Data subjects will generally have stronger rights to object to processing which in turn will require reassessment of the validity of processing operations.
- Data breach notification: Companies will need to notify privacy regulators within 72 hours after becoming aware of a data breach. Data subjects will need to be notified without undue delay where the breach poses a high risk to their rights and freedoms.
- Profiling: Data subjects have strengthened rights in relation to profiling including the right not to be subject to automated profiling which produces legal effects concerning them or similarly significantly affects them.
- Privacy Impact Assessment: Where data processing operations may lead to particularly high risks to data subjects’ personal data, companies need to conduct a thorough data privacy impact assessment beforehand.
- Compliance Frameworks: Companies must introduce specific guidelines on how to comply with data privacy requirements and train their employees on such guidelines.
- Privacy by Design/Default: Companies must implement and design their IT systems so that they process personal data with regard to privacy rights and obligations under the GDPR.
- Data Portability: Following a request, service providers will need to provide their customers with the data they hold about them in an easily transferrable format.
- Right to be forgotten: Personal data must be deleted following a data subject’s request once its retention can no longer be legally justified.
Which companies should act?
- Companies with establishments in the EU; this applies in particular to multinationals with establishments in the EU.
- Service providers that render services to entities in the EU even if such service providers are not established in the EU.
- Companies that target EU residents, for example, via online tracking irrespective whether such companies have their own establishment in the EU.
What companies should do right now:
The starting point for any company’s compliance with the GDPR is assessing the changes it will be required to make to its present approach to privacy. This should involve an initial high-level assessment of:
- whether and which of its operations are going to be subject to the GDPR;
- its level of compliance with existing EU privacy laws – these form the building blocks of the new GDPR and are still a good start point for assessing compliance; and
- the new additional requirements under the GDPR – consider how these will impact the company’s business.
To undertake your initial assessment, you may want to form an internal working party. Individuals from legal, IT and compliance functions are usually good candidates to be involved. You should be looking for individuals with knowledge of your company, the data it collects, the IT systems it uses and will be comfortable with some legal discussion.
The GDPR may require significant changes to your IT systems and business processes. You will therefore need support and sponsorship from senior management. Consider who this will be and get them involved as early as possible.
Once you have undertaken your initial assessment of gaps with GDPR compliance, you should develop a project plan for compliance activities. This should prioritize compliance activities which will have a significant impact on your business or will take a significant time to implement.
Two years is not a longtime and given the changes companies will need to implement to be compliant with the GDPR, one can already be certain that many organizations will not be fully compliant when it comes into force. However, efforts made from now onwards will help organizations tackle key issues and make good progress.