Some four years in the making, the General Data Protection Regulation (the Regulation) is now in an agreed form pending formal ratification by the EU.
In this article, we examine seven key areas of change which the Regulation will bring and consider what action your organisation should be taking now to ensure that it is ready when the legislation takes effect.
A changing landscape
Whilst implementation of the Regulation is still over two years away, the road to compliance is likely to be a long one for many organisations. The Regulation represents a significant strengthening of European data protection legislation, both in terms of obligations imposed on organisations and in terms of the rights granted to individuals. It will replace the Data Protection Act 1998 (the Act) in the UK, which has been in force for over 15 years.
The Regulation comes after a significant year in the data protection sphere. From dating sites to healthcare providers and telecommunications companies, the last 12 months have seen both the severity and profile of data security breaches increase significantly. In addition, a ground-breaking decision in October 2015 rendered the Safe Harbor scheme ineffective, which many companies previously relied upon for the transfers of personal data to the US. (To read more about the consequences of the Safe Harbor decision click here.)
Seven key changes under the Regulation
The Regulation will have a significant impact on many areas of data protection compliance. By way of summary, here are the key changes to be aware of.
1. Fines of up to 20 million Euros
The Regulation will introduce a significant increase in the sanctions available to regulators in the event of a breach. The level of potential fine available for any breach will depend on the nature of the breach, but with fines of up to 20 million Euro or 4% of global annual turnover available, this change alone should be enough to encourage organisations to take stock of current levels of data protection compliance, as data protection compliance will soon become a key governance issue.
2. Mandatory notification of a breach within 72 hours
The Regulation will make it mandatory for organisations to notify the relevant data protection authority without undue delay and in any event within 72 hours of the discovery of a breach of the Regulation (unless the breach is unlikely to result in a risk to the rights and freedoms of individuals). Currently, organisations are not required to report a breach of the Act. Whilst there is a presumption that organisations should notify the Regulator if the breach is sufficiently 'serious', this is not compulsory.
In addition, organisations will be required to notify data subjects affected by a breach 'without undue delay' where the breach is likely to result in a high risk for the rights and freedoms of individuals.
3. Rights of data subjects
The Regulation goes to great lengths to ensure that individuals are in control in relation to the processing of their personal data. This is evidenced by the introduction of two rights, firstly, the new 'right to be forgotten / right to erasure' and secondly, the 'right to data portability'.
The first of these permits individuals to demand erasure of their personal data under certain circumstances (e.g. following withdrawal of consent to processing and where there is no other legal grounds for the processing of that data). The second obliges organisations to ensure any data supplied to an individual in response to a request is supplied in a structured, commonly used and machine-readable format which allows the data to be transferred to another organisation 'without hindrance'.
4. Stricter consent requirements
The Regulation still provides that consent to process personal data must be 'freely given, specific and informed'. However, there is now an additional requirement that consent is "unambiguous" and must involve a clear affirmative action signifying consent to the processing. Silence or inactivity is therefore not sufficient. In addition, the purposes for which personal data is processed must be specified, explicit and legitimate. This change of emphasis clearly demonstrates the move towards greater transparency.
5. Obligation to appoint a Data Protection Officer
Currently it is not compulsory for organisations to appoint a Data Protection Officer (DPO). However, under the new legislation the following types of organisations must do so:
- public authorities
- organisations whose 'core activities' consist of 'systematic monitoring' of data subjects on a large scale; and
- organisations whose core activities consist of processing 'special categories' of data on a large scale. The definition of "special activities" is similar (although not identical) to the definition of 'sensitive personal data' under the Act, and includes personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health, sex life and/or sexual orientation.
The DPO will be responsible for the organisation's compliance with the Regulation and will be the first point of contact in the event of an investigation by the Information Commissioner's Office ('ICO'). The appointed DPO must have sufficient expert knowledge in relation to data protection compliance.
6. Broader Scope
The Regulation broadens the scope of EU Data Protection legislation in two key ways.
Firstly, in addition to EU entities, the Regulation applies to organisations based outside of the EU who target EU customers. This presents a potential compliance nightmare for many non- EU organisations. How this aspect of the Regulation would be enforced in practice is yet to be seen.
Secondly, whereas the Act applies only to 'data controllers' some key aspects of the Regulation will also apply to EU 'data processors'. A data processor is an entity which processes personal data on behalf of a data controller, but does not determine the purposes and means of processing personal data. For example, if an organisation outsources services such as IT or payroll to a separate entity, that entity would be a data processor. Currently, all responsibility under the Act stays with the data controller even when personal data is transferred to a data processor. While this change may give some comfort to data controllers who outsource the processing of personal data to data processors, it will be of concern for many data processors.
7. A pro-active approach to privacy
The Regulation requires organisations to take a pro-active, as opposed to a reactive, approach to privacy. In particular, data protection 'by design and default' will become the norm, as organisations will need to consider privacy implications at all stages of a project and must keep this under continual review. In particular, all organisations will be required to complete 'Privacy Impact Assessments' (PIAs) if and when they engage in processing or embark on projects which present a high degree of risk in relation to personal data.
In addition, organisations with over 250 employees will now be required to maintain accurate records of data processing activities.
So, what should you be doing to prepare for these changes?
Here are some suggestions of what you should be considering now to ensure that your organisation is ready when the Regulation comes into force:
- Do you have policies and procedures in place which would ensure that a breach could be quickly and readily identified, contained and remedied? Do these policies go far enough to enable you to notify the ICO within 72 hours? If not, these will need to be updated
- Are your fair processing notices and privacy policies clear and comprehensive - do they allow for 'unambiguous' consent and make 'explicit' the purposes for which data is processed (as opposed to pre-ticked boxes or silence as a form of acceptance)? If not, these will need to be reviewed.
- Have you appointed a DPO who is appropriately trained and experienced in relation to data protection compliance? If not, who is the most appropriate person to take on this responsibility or will you need to recruit?
- If you currently process personal data on behalf of other organisations, are you comfortable that you will be able to comply with the requirements of the Regulation? Indeed, are you aware of what these requirements are? If not, do you need to seek advice in order to ensure that you are adequately informed of what these changes will mean for your organisation
- Do you have systems in place which would facilitate the deletion of data on request and where required, to provide data in a readily accessible, structured, commonly used and machine-readable format? If not, you may need to engage with the IT team to find out what charges will need to be implemented to address this
- Do you keep detailed records of how personal data is processed by the business? If not, who will be responsible for this and how will it be achieved in practice?
- Do you complete PIAs before embarking on a project which involves the processing of personal data and could impact on the privacy rights of individuals? If not, what processes need to be put in place to ensure that all such projects are brought to your attention in order to ensure that a PIA is conducted in every instance?
- Are group companies who are based outside of the EU aware of their obligations under the Regulation if they target EU customers? If not, it would be prudent to liaise with such group companies in order to ensure that they are not kept in the dark.
On a sobering note, with fines under the Regulation capped at a staggering 20 million Euros for a single breach, it is worth considering whether or not you are currently satisfied with your organisation's level of compliance? If not, urgent action is required if your organisation is to be ready for the much more demanding obligations which will be imposed under the Regulation.