The General Data Protection Regulation (GDPR) was finally approved by the EU Parliament on 14 April 2016. It will enter into force 20 days after its publication in the EU Official Journal and its provisions will be directly applicable in all member states two years after this date, likely to be some time in May 2018. The MEPs final approval of the GDPR is the culmination of four years’ work towards a complete overhaul of EU data protection laws.
According to the EU Parliament, the GDPR, which will replace the current 1995 Data Protection Directive, aims to give citizens control of their personal data and “create a high, uniform level of data protection across the EU fit for the digital era…”
Once in force, the GDPR will impose new and increased compliance, both on businesses located in the EU and a large number located outside the EU, backed-up by maximum fines of €20 million or 4% of a business’s total worldwide annual turnover, whichever is higher.
The approved data protection package also includes a new directive on data transfers for policing and judicial purposes which member states will have to transpose into national law within two years.
The GPDR includes provisions governing:
- Expanded Territorial Reach – The GDPR catches both data controllers and processors located outside the EU where they process personal data in relation to offering goods or services in the EU (even if they are free), or monitoring the behaviour of citizens in the EU.
- Data Breach Notification – Unless safeguards are in place, data breaches must be notified to the Supervisory Authority without undue delay and where feasible, no later than 72 hours. Data subjects must also be notified without undue delay unless security measures are in place that negate the high risk to individuals.
- Consent – Consent to data processing must be freely given, specific, informed and unambiguous, signifying agreement by a statement or clear affirmative action. The data subject must have had a genuine choice whether to provide consent and must be able to withdraw or refuse it without detriment.
- Accountability – Detailed records of personal data processed must to be kept by both data controllers and processors and may need to be produced to Supervisory Authorities. The obligations under the GDPR (such as data minimisation) must be integrated at the outset into operations and projects involving the processing of personal data, by design and default, and privacy impact assessments must be carried out for more high risk processing.
- Data Processors – For the first time, service providers and others who process personal data on behalf of other businesses will have direct data protection obligations, such as to implement data security measures, notify the controller without undue delay of data breaches and take adequate measures to protect personal data which is transferred outside the EEA.
- Significant Sanctions – The GDPR enables Supervisory Authorities to impose fines of up to €20 million or 4% of total annual worldwide turnover, whichever is the higher, for example, for a breach of the basic principles. Other infringements can result in a fine of up the higher of €10 million or 2% of total annual worldwide turnover.
Preparations to comply with the GDPR will be time-consuming, particularly for businesses that rely heavily on the use of personal customer data, many of which will be caught by EU data protection law for the first time.
A good starting point is to carry out a data audit, in order to begin to create clear records of the personal data processed by the business, what it is used for and where it is sent/stored etc. and in order to assess the nature and scope of the compliance that will be required, once the new law comes into force.