On 14 April 2016, the European Parliament adopted the General Data Protection Regulation (GDPR). This marks the final stage of the legislative process paving the way for the patchwork of national data protection laws, created by the Data Protection Directive passed in 1995, to be replaced with a uniform law across the EU. The GDPR will enter into force 20 days after its publication in the EU Official Journal and will be directly applicable in all member states two years after this date without the need for implementing national legislation.
The GDPR has been four years in negotiation between the European Commission, the Parliament and the Council. The new rules represent the biggest change to data protection in 20 years and aim to strengthen the rights individuals have over their data whilst also updating the rules for a digital age. In the UK the rules will replace the Data Protection Act 1998.
The GDPR contains 261-pages of rules which include a number of wide-ranging changes to EU data protection law, including:
- Tougher fines: Businesses will be subject to fines of up to €20 million or 4% of annual global turnover, whichever is higher, for infringements with some of the rules. These include infringements to basic principles for processing such as consent.
- 72-hour data breach notifications: A data controller must notify the relevant supervisory authority of a personal data security breach within 72 hours of becoming aware of the breach. They may also be required to inform the affected individuals where there is a high risk to their personal data.
- Accountability and privacy-by-design: Businesses will be required to demonstrate compliance with the rules and adopt a privacy-by-design approach. This includes carrying out a privacy impact assessment for high risk processing of data.
- Data Protection Officers: Businesses will be required to designate a Data Protection Officer to monitor compliance with the rules where (i) their core activities consist of processing data which requires regular and systematic monitoring of individuals on a large scale, or (ii) their core activities consist of processing on a large scale of special categories of data. This includes processing personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and data concerning health.
- Greater rights for individuals: Individuals will have enhanced rights, such as the right to be forgotten, and businesses should review their procedures to ensure they can comply with these rights.
- Consent of data subjects: A data controller must demonstrate that a data subject's consent to processing of their personal data is freely given, specific, informed and unambiguous.
Businesses have two years to prepare for the new rules and would be well advised to start now. A raft of new guidance will be issued by EU bodies and national authorities in the coming months which should assist with preparations.
An added complexity for businesses may be the implications of Brexit on the UK's implementation of the new rules. If the UK votes to leave the EU, there will be a two year negotiation period to determine the UK's onward relationship with the EU. The GDPR applies to any business that handle EU citizens' data, even if that business is not based in the EU. This means that whatever the outcome of the vote on 23 June 2016, UK businesses that have operations in the EU or trade with any EU member state should start preparing for the new rules.
In addition to the approval of the GDPR, the European Parliament also approved the Data Protection Directive for police and criminal justice authorities. This aims to ensure that the data of victims, witnesses, and crime suspects are duly protected in criminal investigations and law enforcement actions. It should also facilitate cross-border cooperation among authorities, enabling more effective criminal investigations.