EU agreement on data protection reform
Last night the biggest reform to data protection in the European Union for over two decades was finally agreed. The General Data Protection Regulation (“GDPR”) was first proposed by then EU Justice Commissioner, Viviane Reading, in January 2012 and was put forward by the European Commission, however it has taken almost four years for the negotiations between the Commission, Council and Parliament to come to a conclusion.
The GDPR was agreed alongside a new Data Protection Directive that will ensure that the data of victims, witnesses and suspects of crimes are duly protected in the context of a criminal investigation or law enforcement action.
This Directive will clearly have a significant impact on the criminal justice sector. However focus here will be on the GDPR and what impact it will have on businesses and individuals.
The Commission claim that the GDPR will enable people to better control their personal data whilst also creating more opportunities for businesses in the digital single market by creating a system of modernised and unified rules that will cut red tape and reinforce consumer trust.
Impact on businesses
- Single set of rules which will make it simpler and cheaper for companies to do business in the EU;
- Obligation on businesses to appoint a Data Protection Officer independently to ensure compliance with the GDPR;
- One unified supervisory authority, this is known as the “one stop shop”;
- Companies based outside the EU will have to apply the same rules as EU companies when offering service within the EU;
- Data protection safeguards will have to be built into products from their earliest stage of development, thus bringing the rules into line with the “Privacy By Design” principle that personal data usage should be kept to an absolute minimum and not be used beyond its original purpose;
- Companies that fail to comply with their obligations under the GDPR can face fines of up to 4% of global sales, with data controllers and processors being jointly and severally liable for any breach.
Benefits for small and medium enterprises
- No more notifications to supervisory authorities are required. This currently costs business around £90million a year in the EU;
- Where data requests are excessive, SME’s can charge a fee for handling the request;
- SME’s will be exempt from appointing a Data Protection Officer where data is not their core business activity;
- There will be no requirement on SME’s to have an impact assessment unless they are considered to be high risk.
Impact on individuals
- Easier access to their own data: individuals will have more information on how their data is processed and this information should be available in a clear and understandable way;
- Right to data portability: it will be easier to transfer personal data between service providers;
- A clarified “right to be forgotten”: when individuals no longer want your data to be processed, and provided that there are no legitimate grounds for retaining it, the data will be deleted. This will have an impact on businesses that store personal data eg. marketing companies;
- Right to know when your data has been hacked: companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures;
- Age of consent: the GDPR allows EU Member States to set the age of consent for data processing. The GDPR sets this at 16 but Member States can lower this to 13.
Broadly speaking the GDPR is a consumer victory. The heavy emphasis on enforcement sanctions, the relatively short time until application (the new rules will become applicable two years after the formal adoption at the beginning of 2016) and the added complications of how to be compliant in the world of cross-border data flows (https://www.macroberts.com/the-aftermath-of-the-safe-harbor-decision/) mean there is much to consider for businesses. Whilst there are a number of benefits to smaller businesses, all businesses will have to make changes to accommodate the new rules.
MacRoberts has expertise in and advises on a wide range of data protection law, particularly the obligations on organisations in relation to personal data and security measures. For more information, please contact Valerie Surgenor, David Flint or David Gourlay.