The new European Union General Data Protection Regulation (GDPR) (Regulation 2016/679, Apr. 27, 2016), approved by the European Parliament and the Council of the European Union, will replace the Data Protection Directive (Directive 95/46/EC) effective May 25, 2018. The GDPR has been a long time coming (the European Commission introduced its sweeping proposed revision to the EU privacy and data protection regime on January 25, 2012), and introduces a host of new requirements for companies that use or process data in the EU, or simply use or process data about EU citizens anywhere in the world outside of the United States. The reforms will give European consumers new rights and control over their personal information, and impose new obligations on businesses to the extent that they collect personal information from EU citizens, regardless of where they reside, or individuals who reside in the EU, regardless of their nationality.
The new rules empower individuals by, among other things, (1) providing easier access to personal data and more information on how data is processed, (2) facilitating data portability, or transfers of personal data between service providers, (3) clarifying the fundamental "right to be forgotten" for individuals who no longer wish for their data to be processed, and (4) requiring expedited notifications to the national supervisory authority by companies that experience a data breach affecting personal data.
While some of the new measures will serve to make the system less cumbersome, the broad reach, new restrictions, expanded obligations and enhanced penalties imposed on businesses could more than offset these reductions. Given the magnitude of new requirements in the GDPR, it will be important for companies to begin the compliance process now. Most companies operate with multiple streams of data, such as HR data, consumer data, vendor/supplier data, and the like. The task of mapping these data flows, creating the relevant compliance structures and processes to cover the different categories of data, and appropriately documenting them will rapidly consume the two years before the GDPR becomes mandatory. A good starting point is for businesses to assess their current practices and identify gaps, and use that to map out a step by step compliance plan specific to their data collection practices that fully prepares them for the new GDPR world in 2018.
We provide below a summary of the key requirements in the GDPR and a compliance checklist for businesses. Please note that the summary and checklist are provided for informational purposes only, and do not constitute legal advice regarding specific facts or circumstances.