New EU data protection rules
New data protection laws came into force across the EU on 25 May 2018. The General Data Protection Regulation harmonises and strengthens the rules on how businesses may use data about individuals, including customers and employees. The GDPR:
- requires businesses that process personal data on a large scale to appoint a data protection officer;
- requires businesses that suffer a serious data breach, eg from a hack, to promptly notify the regulator and – in serious cases - any individuals affected;
- introduces stricter rules on getting consent to use personal data, eg for direct marketing;
- regulates data analytics, with a particular focus on profiling and automated decision-making;
- regulates non-EU businesses that offer goods or services to EU residents or monitor their behaviour; and
- introduces big new fines for non-compliance (up to 4% of worldwide annual turnover for the most serious offences).
Although the GDPR broadly harmonises EU member states’ laws, there will still be fragmentation in some areas. For example:
- there will in theory be a ‘one-stop-shop’, allowing businesses to deal with one lead regulator across the EU - but businesses may in practice still need to interact with multiple national regulators; and
- tighter rules will apply to children’s personal data, but EU countries can define a ‘child’ as anywhere between 13 and 16 years old (the UK has designated 13 as the age at which children can consent to the use of their data).
Businesses have been gearing up for the GDPR coming into force, but - as our research here shows - it can take years to implement a full data strategy. If you’re responsible for implementing GDPR compliance, here are ten important points to think about:
- the extent to which you may legally use personal data to develop new products and services – in particular, there are now stricter rules on getting consent to use data, and on automated profiling;
- how to incorporate privacy issues into your business processes – eg you might need to carry out ‘data protection impact assessments’;
- how you’ll meet the new obligations to quickly notify regulators and individuals if you suffer a data loss;
- whether to change your employment contracts or handbooks, and what data privacy training your staff need to deal with the new rules;
- how to anticipate and deal with requests from regulators for data about your employees, customers or others;
- whether to change your management and governance structure to deal with the new rules, including whether to appoint a data protection officer;
- how to manage international data flows, both within your group and to third parties;
- how to structure relationships with third parties, including data processors, to reallocate responsibilities and liability risks;
- if your business is outside the EU, whether you’re caught by the new rules (you can listen to our podcast on this here); and
- how to structure M+A transactions involving data-rich targets – eg there are new rules on promptly giving notice to people if you buy their data from a third party.
The UK regulator, the Information Commissioner, has issued useful guidance for those handling GDPR compliance: here. And we’re also seeing guidance from other national regulators and at EU level. We’ve created a questionnaire that businesses can use to assess their GDPR compliance: if you’d like a copy, please contact us.