On 14 April 2016, the EU Parliament approved the General Data Protection Regulation (GDPR). The GDPR will replace the Directive 95/46/EC, when it comes into force, which is likely to be summer 2018. The GDPR will not require local implementation. In the UK, it will automatically replace the current Data Protection Act 1998 which implements Directive 95/46/EC.
Whilst many of the core obligations in the Directive will remain, for example, it will remain necessary to process personal data fairly and lawfully, to impose controls on data processors, and to keep personal data secure, there will be several new additions to the data privacy architecture, including:
- Tightened rules around consent and transfers of personal data outside the European Economic Area.
- Express requirements on encryption and pseudonymisation (as part of data security).
- Mandatory security breach reporting to the supervisory authority (currently the ICO) within 72 hours of awareness.
- Obligations in respect of data protection impact assessments.
- Extra territoriality of application.
- Direct obligations on data processors.
- Enhanced rights for data subjects, including:
- A right in respect of transparency.
- A right to rectification of inaccurate personal data and the right to erasure (‘right to be forgotten’).
- A right to portability of personal data from one data controller to another.
- A right to object to the use of personal data for the purposes of certain types of 'profiling.'
The GDPR requires a risk-based approach to be taken whereby data controllers can implement measures according to the risk involved in their respective data processing operations: the higher the risk, the more rigorous the obligations. The GDPR also requires a designated data protection officer (DPO) to be appointed within certain companies and public authorities carrying out personal data processing with a certain level of risk.
The consequences of non-compliance are also heightened and there are certain GDPR risks which apply directly to data processors. Infringement of certain provisions will risk a maximum fine of up to €10 million or 2% of the total annual turnover in the preceding year (whichever is higher). Certain other infringements will risk up to €20 million or 4% of total worldwide annual turnover. Currently, the ICO can fine up to £500,000 (in addition, outside of the data privacy regime, the FCA’s own fines are relevant to financial institutions where personal data breaches compromise customer information). The risk of compensation claims from affected data subjects remains.
Following the European Parliament’s approval, the GDPR is expected to be translated and then published in the Official Journal (in approximately two to three months’ time). Twenty days from the date of publication, the GDPR will be formally adopted. There will then be a two year lead time before the GDPR comes into force.