After years of discussions and negotiations, the new General Data Protection Regulation (GDPR) entered into force on 25 May 2016, and will be directly applicable in all EU Member States from 25 May 2018, following a two year transition period. The GDPR will replace the current Data Protection Directive 95/46/EC (Directive), as implemented into UK law by the Data Protection Act 1998 (DPA).
Businesses should use 2017 as an opportunity to prepare themselves for the pending applicability of the GDPR.
1 Extra-Territorial Applicability
The territorial applicability of the Directive has been subject to a number of high profile court cases due to its ambiguity. The GDPR’s applicability, however, is very clear; it will apply to the processing of personal data by data controllers and data processors in the EU, regardless of whether the processing takes place in the EU or not. The GDPR will also apply to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to the offering of goods or services to EU citizens, or monitoring of behaviour that takes place in the EU.
2 Joint and Several Liability
Not only does the GDPR place direct obligations on processors, but processors may be jointly and severally liable with the relevant data controller for claims for compensation by data subjects. For controllers and processors, negotiating how liability will be apportioned between parties will therefore be extremely important.
3 Breach Notification
Under the GDPR, breach notification will become mandatory in all member states where a data breach is likely to “result in a risk for the rights and freedoms of individuals”. This must be done within 72 hours of first having become aware of the breach. “Data processors will also be required to notify the relevant data controller “without undue delay” after first becoming aware of a data beach”.
4 Data Protection Officer (DPO)
A DPO appointment will be mandatory only for those controllers and processors whose core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale or of special categories of data or data relating to criminal convictions and offences.
5 Data Transfers
Whilst the fundamental principle regarding transfers of personal data outside of the EEA remains unchanged, the GDPR does provide for an increased number of safeguarding data transfer mechanisms, including approved codes of conduct and certifications, as well as a seemingly simplified procedure for Binding Corporate Rules which will be accepted in all Member States.
6 Notifications / Record Keeping
Notifications to local Data Protection Authorities (DPAs) of data processing activities will be abolished under the GDPR, but there will be internal record keeping requirements. Controllers and processors will be required to maintain a record of their data processing activities, which must be available upon request to the relevant DPA. This requirement will not, however, apply to SMEs with fewer than 250 employees, unless the processing they carry out is high risk or they process sensitive or criminal data.
7 Privacy By Design and Default
The GDPR recognises that privacy must be intertwined with the design and use of information systems, and cannot simply be enforced by prescriptive rules. Controllers will therefore need to take privacy and security into account at the very inception of a product or service, rather than as an afterthought.
8 Agreements With Data Processors
The GDPR streamlines the “mandatory clauses” required in an agreement between a controller and a processor, which will now be the same in all Member States. They are, however, much more extensive than what the majority of current local laws require.
9 The “one-stop-shop”
Different DPAs have different attitudes and priorities; under the Directive this can be a particular challenge for multinationals where processing operations span more than one Member State and it is necessary to consult with, notify, and be answerable to, multiple DPAs. Under the GDPR, where processing takes place in more than one Member State, the DPA of the controller’s or processor’s “main establishment” will act as the “lead supervisory authority” in relation to that processing.
10 Sanctions For Non-Compliance
Fines under the GDPR will be streamlined with all Member States having the power to impose significant fines on non-compliant controllers and processors. The level of fines will be tiered:
- for breaches regarding general obligations, such as record keeping, data processor relationships, data protection impact assessments or DPOs, the relevant DPA may impose fines of up to the greater of EUR 10 million or 2% of the total worldwide annual turnover of the preceding financial year.
- for breaches regarding the fundamental data protection principles (including conditions for consent), data subjects’ rights and international data transfers, the relevant DPA may impose fines of up to the greater of EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year.