The text of the EU General Data Protection Regulation (GDPR) was agreed on Tuesday night, marking the biggest overhaul on privacy laws in the EU since 1995. This reform has been a work in progress since 2012 and the EU Parliament and Council have finally reached an agreement.
While much of the devil will be in the detail, the following are some of the key points to note:
- Fines: organisations breaching the new rules could face penalties of up to 4% of global turnover or €20 million (whichever is higher).
- One-Stop-Shop: organisations with operations in more than one Member State will be regulated by the Data Protection Authority in the Member State where it has its “main establishment”, meaning that organisations will generally only have to deal with one single supervisory authority.
- Territorial Scope: organisations operating and processing personal data in the European Union market, regardless of whether the organisation is physically in the EU, will be subject to the GDPR. The same will apply to any data controllers or data processors established in the EU regardless of where the personal data they process is located.
- Data Protection Officer: it will be mandatory for organisations to have a data protection officer (DPO) in certain circumstances including where:
- processing is carried out by a public body; or
- core activities of the controller or processor involve regular monitoring of data subject on a large scale; or
- controller or processor handles a large scale of a special category of data and data relating to criminal convictions and offences.
SMEs are exempt from this obligation to appoint a DPO, unless data processing is core to their business.
- Consent: it will be mandatory for consent to be freely given, specific, informed and unambiguous. Silence, pre-ticked boxes or inactivity will not constitute consent. The validity of consent will expire once the purpose for which it was sought ceases.
- Age of Consent for Data Processing: the GDPR sets this age at 16, but Member States can lower this to 13.
- Extension of Liability: responsibility for privacy breaches extends to data processors so both the data controller and data processor will be jointly liable for any damages.
- Right to be Forgotten: individuals will have the right to request the deletion of data relating to them which is inaccurate, irrelevant or outdated.
While the text of the GDPR has been agreed, it still must be formally adopted by the European Parliament and Council. It is envisaged that this will take place at the beginning of 2016 and the GDPR will come into full effect two years later.
This regulation paves the way for greater data protection harmonisation throughout the EU, putting an end to the patchwork of data protection rules while significantly increasing the penalties for non-compliance. Organisations will have two years to get themselves up to speed on the requirements and obligations under the GDPR.