The European Union (EU) has been at the forefront of regulatory developments in data privacy and protection for the past two decades. The EU has adopted new legislation that will expand the existing privacy rights of EU residents while imposing a broad range of additional compliance obligations on businesses operating both in and outside the EU. The new legislation known as the General Data Protection Regulation (GDPR) will become enforceable on May 25, 2018.
Although May 2018 may seem to be a generous transition period, the scale of the changes imposed by the GDPR means that all organizations caught by the new rules will need to take steps to move toward compliance without delay.
Implications of the GDPR
In comparison to the existing EU data protection rules, the GDPR places greater emphasis on the obligations of data controllers (that is, those who determine when, how and for what purpose personal data is to be processed). It also imposes a significant number of new requirements directly on data processors (that is, those who process data on behalf of data controllers), which currently are subject only to the contractual obligations imposed on them by data controllers.
A new accountability principle will apply that will require companies that process EU personal data to create and maintain records demonstrating their compliance with the relevant GDPR requirements. In some cases, significant business process and even business model change will be required to meet the new obligations imposed by the GDPR. National Data Protection Authorities will have audit and investigatory powers to ensure that the requisite procedures are being followed.
The GDPR will reinforce and expand the data privacy rights of individuals in a number of important ways. At the same time, it will subject data controllers and processors that fail to comply with the GDPR requirements to potentially severe fines. The maximum penalties will be the higher of 20 million or 4% of annual worldwide turnover. The GDPR also establishes a right to compensation for aggrieved individuals and will enable them to lodge complaints through an organization, association or a not-for-profit body active in the field of data protection, which may represent them and receive compensation on their behalf.
Does the GDPR Affect My Company?
The GDPR will affect every business and public body that processes the personal data of EU residents, including:
Every employer in the EU.
All businesses that offer goods or services to individuals in the EU or that monitor their behavior, including companies that have no presence in the EU (meaning that the GDPR will have extraterritorial effect).
All businesses that process the personal data of EU individuals on behalf of other businesses (processors).
What Are the Key New Requirements?
The GDPR introduces a more stringent and prescriptive European data protection regime that will apply (in principle at least) on a more harmonized basis across the whole of the EU. Key changes include:
Direct liability for data processors - For the first time, organizations that process the personal data of other companies in the course of providing a service (such as cloud providers or website hosts) will have direct liability for breaches of the GDPR, including the risk of being fined. In addition, more extensive obligations will be required in processor agreements than are compulsory at present, and indemnities and limitation of liabilities will most likely become subject to renegotiation.
Data breach reporting - It will be mandatory for data controllers to notify, within 72 hours where feasible, the relevant Data Protection Authority about data breaches that may result in a risk to the rights and freedoms of individuals whose data is compromised; individuals may also need to be notified without delay if there is a "high risk" to their rights and freedoms.
New and expanded individual rights - The GDPR gives individuals a new "right to be forgotten" (have their personal data removed), a new right of data portability (have their personal data copied and transmitted to another organization for further use, including competitors) and enhanced data subject access rights. Individuals will also have expanded rights to object to processing, including an absolute right to object to direct marketing, which might have significant implications for businesses that rely on data analytics.
Limitations on profiling - There will be new limitations on data profiling, including a requirement to obtain prior consent to profiling, strict notice obligations regarding profiling and a duty to honor individuals' right to object to profiling, as noted above.
Appointment of Data Protection Officers (DPOs) - It will be mandatory for organizations, both data controllers and data processors alike, to appoint a DPO with expert knowledge in data protection reporting directly to the highest management levels, if (a) the organization is a public body, or (b) its core business requires regular and systematic monitoring of individuals on a large scale, or consists of the large-scale processing of sensitive personal data or criminal records.
Mandatory "data mapping" and documentation requirements - Controllers and processors will have to prepare and maintain comprehensive records of their processing activities, such as the purposes for processing, categories of data subjects and personal data, recipients of personal data, records of international transfers of data, records of data breach incidents, developing and maintaining privacy notices for each product line, storing verifiable consents, etc.
Consents - The GDPR sets out strict new requirements for obtaining valid and verifiable consents for the processing of personal data from data subjects, where consent is used as the basis for processing EU personal data.
Enhanced Privacy notices - The GDPR sets out specific information to be included in privacy notices and requires individuals to be given clear information as to what is done with their data in an easily accessible form.
Data protection Impact Assessments - These will be mandatory before undertaking "high risk" processing, including profiling or heavy use of sensitive personal data (such as health records). Further guidance will be provided by national regulators as to what constitutes "high risk" processing, but the scope is expected to be relatively broad.
Transfers outside the EU - Non-compliance with the prohibition against sending personal data to jurisdictions without adequate levels of data protection will attract very high fines. It is more important than ever for companies to confirm that their international transfers of employee and customer data are carried out pursuant to one of the methods approved by the European Commission (EU Standard Clauses, EU-U.S. Privacy Shield, Binding Corporate Rules, etc.).
What Will the Impact of Brexit Be?
The UK's formal withdrawal from the EU is unlikely to be completed before the GDPR becomes enforceable in May 2018. This means that UK businesses must prepare to comply with the GDPR as of that date. If the UK becomes a member of the EEA post-Brexit, the GDPR will still apply. Otherwise, the UK is likely to choose to continue to be subject to the GDPR, or to implement a mirror regime, in order to facilitate trade with the EU and many other parts of the world that value data privacy.