What does this cover?
Following the final round of trilogue discussions, political agreement has been reached between the European Parliament and the European Council on the final text of the GDPR. Adoption of the final text can now take place in early 2016 conditional upon a vote by the European Parliament. It is expected the GDPR will come into force in early 2018 allowing organisations to begin preparations for the implementation of the new rules with an increased element of certainty.
As a Regulation the GDPR will be directly applicable when it comes into force and will only require member states to introduce specific national legislation to address a limited number of aspects of the GDPR. The aim of the GDPR is to ensure as best as possible a more consistent implementation than previous Directives.
The following list identifies some of the key changes that will be introduced by the GDPR:
- Definition of personal data expanded;
- Consent requirements clarified and high threshold maintained;
- Introduction of risk-based approach for certain aspects of GDPR;
- Regulation applies to both data controllers and data processors;
- Data Protection Impact Assessments to be undertaken where processing is deemed to be high risk for data subjects' rights and freedoms;
- One-stop-shop regime will identify a single supervisory authority for organisations to deal with;
- Introduction of fines up to the greater of 4% of annual turnover or €20,000,000;
- Notification requirements to be replaced by accountability measures;
- Organisations to integrate data protection mechanisms when planning and carrying out data processing activities (Privacy by Design);
- EU rules will apply to companies based outside Europe when offering services in the EU;
- Duty to notify Data Protection Authorities of data breaches;
- Organisations carrying out certain types of processing will have to appoint a data protection officer.
To view the European Commission press release, please click here.
To view the consolidated text, please click here.
What action could be taken to manage risks that may arise from this development?
Organisations should continue or promptly commence their GDPR implementation programmes. In particular they should review updates from the ICO which are aimed at helping businesses prepare for the changes.