Today the new EU data protection rules have been published in the Official Journal of the EU. The new rules take the form of a regulation that will be directly applicable across all 28 EU member states (General Data Protection Regulation or GDPR) and will modernise and unify data protection laws across the region. Following the one-stop-shop principle, businesses will only have to deal with one single supervisory authority.
Significantly, businesses that are found to be in breach of the GDPR may be liable to pay penalties of up to 4% of their total worldwide turnover, indicating that the EU intends data protection to become a board-level issue.
The GDPR will remove certain obligations that currently exist. For example, businesses will no longer be required to notify their data processing activities to the various national data protection authorities and this obligation will be replaced by a requirement to keep an inventory of data processing activities.
The GDPR will also introduce new data protection requirements. For example, businesses will be required to:
- implement strict technical and organisational security measures, including pseudonymisation and data encryption;
- notify data breaches to the relevant data protection authorit(y)(ies) within 72 hours. In certain circumstances the breach will also have to be notified to the affected data subjects;
- appoint a data protection officer in certain circumstances (eg. for companies processing sensitive data on a large scale or for those that collect consumer information);
- conduct privacy impact assessments before carrying out high-risk data processing; and
- build in privacy by design when processing personal data.
Unlike the current EU data protection rules, many of the new rules will also apply to data processors (eg. an external payroll services provider processing data for an employer).
Although the GDPR will enter into force in 20 days, the new rules will apply as from 25 May 2018 only. That leaves businesses with around 2 years to bring their processing activities in line with the new data protection rules. According to recital 134 to the GDPR "processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force." We therefore recommend businesses to start preparing for the GDPR now.