Final form for data protection reform – it’s been a long time coming!
Four years (yes, four years!) after the overhaul of European data protection laws began, the new General Data Protection Regulation (GDPR) has been approved by the European Parliament on 14 April 2016, heralding the most significant reform of data protection laws in the EU in over 15 years, which will have a significant impact on businesses and individuals alike.
The new obligations are broadly more beneficial to consumers and there are significant changes for businesses to address under the GDPR. Organisations will have to revisit their (or adopt new) data protection policies and procedures to ensure they meet the requirements of the new legislation.
The GDPR provides a single set of rules for use throughout the EU and proposes to make organisations accountable to one unified supervisory authority, avoiding the complications cross-border organisations face dealing with different rules and regulators.
We recently outlined the impact of the GDPR for businesses and individuals. Some of the key changes the GDPR makes to the data protection landscape are as follows:
- Data Processors – under the GDPR “data controllers” and “data processors” can both be responsible for data protection matters. This means not only the owners of personal data (e.g. a business holding employees’ personal data or a marketing database) will be responsible for meeting the requirements of the GDPR, but those holding or using that data (e.g. the business’ marketing agents or external IT provider) will also be responsible.
- Consent – the GDPR adopts a new approach to obtaining consent from an individual to use their data, restricting the circumstances in which consent can be obtained the GDPR focuses on freely-given, specific, informed and unambiguous consent.
- Privacy by Design and Data Protection Privacy Impact Assessments – organisations are obliged, under the GDPR, to adopt an approach to dealing with data which promotes privacy and data protection compliance from the outset and should consider carrying out Data Protection Privacy Impact Assessments in high-risk situations.
- Data Breaches – increased notification obligations for organisations following a data breach are included within the GDPR.
- Rights of Data Subjects – the rights of individuals in relation to their personal data have been enhanced under the GDPR (including provision for a new right to erasure, rights of data portability and to prevent data profiling) impacting on the information which should be included in privacy policies and procedures and the way in which data access requests from individuals should be handled.
- Appointment of Data Protection Officers – certain organisations will be required to appoint data protection officers to oversee compliance with data protection rules under the GDPR.
- Enforcement Action – the GDPR provides for much stronger enforcement action where there is a breach of the data protection rules, including fines of up to 4% of an organisation’s turnover.
- International Matters – the GDPR applies to the personal data of all individuals within the EU and organisations processing their data are required to comply with the GDPR, regardless of whether those organisations are based outwith the EU. In the age of data sharing, personal data may be processed in a number of different jurisdictions and the GDPR makes provision for identifying which data protection authority will supervise cross-border organisations.
Whilst the GDPR provides a two-year transitional period prior to coming into effect (it is expected to come into effect in summer 2018), organisations should start working towards meeting the requirements of the GDPR as soon as possible. In the coming weeks we will consider the implications of each of the key changes to the data protection rules and the steps organisations should take to comply with the GDPR in a series of briefing notes.
The ICO recently issued guidance on the steps organisations can take to prepare.
MacRoberts’ team of data protection specialists can provide expertise and advice to businesses wishing to adopt this proactive approach to compliance preparation.