The General Data Protection Regulation (the GDPR) will come into effect on 25 May 2018, replacing the 1995 Data Protection Directive (1995 Directive). A flaw of the 1995 Directive was that it had to be implemented by national legislation in order to become law. This led to a patchwork of obligations that were not identical across the European Union and so, caused a lack of harmonisation. As the GDPR will have a direct effect, it will not require domestic legislation to be passed.
Will the GDPR apply to all businesses?
The GDPR will have extra-territorial effect as it will apply to all businesses that control or process personal data relating to the offering of goods or services or monitor the behaviour of individuals in the European Union whether those companies are based in the European Union or elsewhere.
Key provisions of the GDPR
- There will be a greater range of fines for non-compliance. For example, fines could be as high as 4% of a business’ total worldwide revenue or €20 million for the preceding year -whichever is the higher
- The imposition of a risk-based approach to compliance under which businesses will bear responsibility for assessing the degree of risk that processing activities pose to data subjects
- Tightening requirements for valid consent
- Requirement to appoint a data protection officer in certain circumstances
- The obligation to report data protection breaches to regulators within 72 hours of a breach or without undue delay to the data subjects in certain circumstances
- Provide individuals with the right to be forgotten and to data portability
- Joint liability for data controller and data processors
- Allows businesses that operates in a number of European countries to deal with a single data protection authority
- Introduces the concept of “privacy by design and by default”
Practical steps for businesses to take now
The GDPR is likely to require significant changes for many businesses in order to ensure that personal data is processed in compliance with the GDPR. As it will take time to implement new policies and procedures, companies should take the following steps:
- Review existing (or developed) privacy programme to ensure they comply with the GDPR
- Maintain records of all data processing activities
- Appoint a data protection officer to oversee the company’s privacy practices and ensure compliance with domestic and international data protection legislation
- Review (or develop) a data breach response plan which ensures timely notifications to regulators and consumers in the event of a breach
- Review (and possibly amending) contracts for third parties that process, control or maintain personal data to ensure proper safeguards and data breach reporting procedures
In addition, to ensure future compliance, businesses should adopt a “privacy by design and by default” approach when developing new products or services. This means that businesses should take data protection requirements in account from the inception of new technology rather than considering privacy as an afterthought.
Though the GDPR will not come into force until 2018, it is essential that organisations start reviewing their data processing procedures now in preparation for the GDPR.