Europe’s data protection rules will undergo their biggest change in two decades when the new General Data Protection Regulation (“GDPR”) goes into effect on May 25, 2018. The GDPR replaces the current Data Protection Directive and imposes uniform data security requirements on all EU members. While the GDPR is “an evolution, not a revolution” for data protection, there are several significant changes for which companies should be prepared.
Expansive Scope One of the biggest changes is the GDPR’s expanded territorial scope. The new framework applies to companies that market goods or services to EU residents, even if a company does not have an office in the EU. This is broader than the prior law and many U.S. companies, especially technology companies, may find themselves subject to the new regime even if they do not have a business presence in the EU. The GDPR also expressly applies to data processors and confers direct obligations on such entities.
Detailed Definition of Personal Data The GDPR broadens the definition of “personal data.” Location data and online identifiers, such as IP addresses and cookie data, are considered personal data. Sensitive data such as biometric and genetic data will be subject to a higher standard. The GDPR also introduces the concept of “pseudonymisation” and provides that personal data that has been pseudonymised (e.g., key-coded) may fall outside the scope of the GDPR if the pseudonym cannot be attributed to a particular individual.
Increased Individual Rights Under the GDPR, individuals will have greater control over their personal data. EU residents will have the right to confirm that an organization has information about them, free access to this information, and the right to correct wrong information. EU residents will also have the right to restrict certain data processing and can object to their personal data being processed for direct marketing purposes. Individuals will also have the power to get their personal data erased in some situations.
Heightened Consent Burden The GDPR requires businesses to obtain an individual’s consent to process his or her data in certain circumstances. Consent must be specific, informed, and unambiguous, with a clear affirmative action (silence, pre-ticked boxes, or inaction will not constitute consent). Consent must be as easy to withdraw as to give. Consent must be “explicit” or opt-in for sensitive data.
Breach Notification Obligation The GDPR introduces a breach notification duty throughout the EU. Companies must notify their data protection authority of a breach within 72 hours after the company becomes aware of it, unless the breach is unlikely to result in a risk for individuals. Companies must also notify affected individuals of the breach without undue delay, unless the breach is unlikely to result in a high risk for individuals. Therefore, all companies subject to the GDPR must adopt internal procedures to quickly handle data breaches.
Tougher Sanctions The GDPR dramatically increases fines for noncompliance, which has concerned many companies around the world. For smaller offenses, organizations violating provisions of the new regulation may be fined up to $11.6 Million (€10 Million) or 2% of a firm’s global turnover, whichever is greater. For more serious offenses, companies may be fined up to $23.2 Million (€20 million) or 4% of a firm’s global turnover, whichever is greater.
Note that the UK government has so far confirmed that Brexit (the UK’s decision to leave the EU) will not affect the commencement of the GDPR in their country.