The long-awaited EU General Data Protection Regulation (“GDPR”) entered into force on 24 May 2016 and, following a two year transition period, will apply from 25 May 2018. Described as the most ground-breaking piece of EU legislation in the digital era, the GDPR aims to make businesses more accountable for data privacy compliance and offers citizens extra rights and more control over their personal data. The new rules will have significant impacts for all organisations. Some key requirements include:
Territorial Scope: Any organisation, whether established in the EU or not, processing the personal data of data subjects located in the EU, and data controllers and processors established in the EU, will be subject to the GDPR. This will catch non-EU businesses with websites directed at the EU, such as online advertisers and e-commerce businesses.
Data Protection Impact Assessments (“DPIAs”): DPIAs will be mandatory in respect of any project where “high risk” data processing is envisaged, including profiling, large scale processing of special (sensitive) categories of personal data or large scale processing of public areas.
Elevated threshold for consent: In addition to the requirement for consent to be specific, informed and freely given, under the GDPR it must also be unambiguous requiring some form of statement or clear affirmative action to be obtained from the individual. This is likely to make it more difficult for consent to be relied on as a legal basis for data collection.
Security Breach Reporting: Breaches must be notified to the Supervisory Authority within 72 hours, unless the breach is unlikely to result in a risk to rights and freedoms of individuals. Where this risk is high, affected data subjects must also be notified without undue delay.
Data Processors & Vendor Management: The GDPR imposes increased obligations on processors and makes them liable for breaches when acting outside the instructions of controllers. More detailed contract terms and flow down terms for sub-processors are required.
Records of Processing Activities: Detailed records of processing activities must be kept by processors and controllers and must be made available for inspection by the Supervisory Authority. A limited exemption applies to SMEs that fulfil certain criteria.
Enhanced rights of the individual: Data subject rights have been supplemented to now include:
- a right to be forgotten (de-listed);
- a right to restriction of processing; and
- a right to data portability.
The practical implementation of the new rights (in particular, data portability) is likely to represent significant operational and technical challenges for organisations.
Privacy by Design: The theme of privacy by design permeates the GDPR, with the objective being for businesses to design products and services with the privacy rights of individuals at the forefront. Businesses will be required to implement privacy from the outset of any project impacting on personal information.
Mandatory Data Protection Officer (DPO): A DPO must be appointed by all public bodies and by businesses where core activities involve (i) regular and systematic monitoring of data subjects on a large scale; or (ii) the handling of a large scale of special categories of data. There is a limited exemption available for certain categories of SMEs.
Fines & Enforcement: The GDPR significantly increases the scope and nature of administrative fines for non-compliance, with the effect that failure to address data protection compliance obligations could prove very costly, in financial terms, for businesses. Organisations will be potentially subject to fines of up to:
- €10 million or 2% of total worldwide annual turnover (whichever is greater) for serious breaches; and
- €20 million or 4% of total worldwide annual turnover (whichever is greater) for very serious breaches.
In addition, and for the first time under Irish law, data subjects will have a right to sue for non-material damage in addition to material damage arising from data privacy breaches.
The GDPR will have a significant impact for all organisations doing business in Ireland and the EU. With the transition period now underway, it is vital for organisations and compliance officers to begin preparing for what will be the biggest change to data protection laws in over 20 years.