The European Parliament recently approved a data protection reform package after four years of negotiations. The General Data Protection Regulation (GDPR) will replace the Data Protection Directive (95/46/EC) and is expected to come into force in the summer of 2018. The GDPR contains measures to harmonise data protection procedures and bolster enforcement across the EU. Unlike the current scheme, which consists of a variety of national laws making the EU Data Protection Directive effective, the GDPR, as an EU regulation, will be directly applicable across the EU without the need for implementing legislation.

There are several critical differences between the GDPR and the EU Directive. Prime among them is an obligation—in most circumstances—for data controllers to notify the national protection authority of a data breach without undue delay and, where feasible, no later than 72 hours after having become aware of it. The GDPR will also enhance rights for individuals, including a “right to be forgotten” where individuals can ask for their personal data to be deleted without undue delay by the data controller in certain situations. The GDPR will also scrap the requirement for companies to register with a national data protection authority in favour of requiring businesses to maintain detailed documentation recording their processing activities.

The GDPR will enable national authorities to impose fines for some infringements of up to 4% of annual worldwide turnover and for other infringements of up to 2% of annual worldwide turnover.

TIP: In anticipation of the coming changes, companies would be well-served to review their privacy practices to ensure that they are prepared to meet the heightened requirements of the GDPR.