The General Data Protection Regulation 2016 (“GDPR”) will apply across the EU (including the UK) from 25 May 2018. The GDPR is a complete overhaul of EU data protection law and it not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location. The GDPR will therefore have a significant impact on corporate trustee organisations notwithstanding the fact that they may not be based in the EU.
The changes brought about by the GDPR are extremely comprehensive; therefore in this article we have highlighted a few key points which you should be aware of:
- Notification – no requirement to notify authorities of data processing but a requirement to keep records of data processing activities (subject to limited exceptions for SMEs);
- One Stop Shop – organisations will be regulated by a single ‘lead’ regulator in the place of their main establishment. The main establishment will be the main administrative location in the EU unless the main decisions about data processing are taken in a different Member State in which case that will be the main establishment. Individuals will be able to make complaints in their Member State at which point that regulator will engage in a cooperation procedure which will be settled by the European Data Protection Board in the event of disagreement. Member State regulators will also be able to deal with any issues arising in their own jurisdictions subject to a cooperation procedure;
- Penalties – maximum penalties of 4% annual global turnover or up to 20m Euros (whichever is higher);
- DPOs – requirement to appoint a data protection officer (DPO) where an organisation’s core business involves processing personal data involving regular and systematic monitoring of data subjects or large amounts of sensitive personal data.
- Breach reporting – breaches must be reported to the relevant regulator without undue delay and, where feasible, within 72 hours of becoming aware of it unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Data subjects must be informed without undue delay where the breach is likely to result in a high risk to the data subject’s rights and freedoms unless the data has been rendered unintelligible to any third party (for example by encryption), the data controller has taken steps to ensure the high risk is unlikely to materialise or it would involve disproportionate effort to inform data subjects individually in which case a public announcement can be made. Data processors are required to inform data controllers of any breach without undue delay.
- Consent – organisations relying on consent to process personal data will need to show that the consent is freely given, specific and informed and is an “unambiguous indication” of a data subject’s wishes and expressed either by a statement or a clear affirmative action. Consent will be purpose limited i.e. related to explicitly specified purposes.
- PIAs – organisations will be required to carry out data protection impact assessments (PIAs) if their proposed activities are likely to result in a high risk for the rights and freedoms of individuals, in particular, through the use of new technologies and in cases of people profiling. If the PIA reveals a significant risk, the organisation must consult with their regulator before beginning the processing.
- Data subject rights – there are new rights around data portability, the right to be forgotten and to prevent profiling. There is a continuation of the right to object to processing, to rectification and erasure.
- Data export to third countries – there are similar restrictions on transfers of personal data outside the EU as under current law. Data can be transferred under a Commission adequacy decision (the GDPR contains details of how these should be reached); standard contractual clauses or BCRs for intra-group transfers. In addition, there are limited possibilities to transfer data with consent or where it is necessary for the performance of a contract.
We have a wealth of articles on our Global Data Hub which may assist you and your business in getting to grips with these changes.