On 27 April 2016, the European Council and Parliament finally adopted a new data protection law: the General Data Protection Regulation (GDPR). The following is a summary of key issues and a checklist of initial tasks to help you prepare for the new regulation.
When Will the GDPR Take Effect?
It will apply directly in all EU Member States from 25 May 2018. It will repeal and replace Directive 95/46EC and its Member State implementing legislation.
Expanded Territorial Scope
The GDPR rules (like the Directive) will apply to both controllers and processors in the EU. The GDPR will also apply to data controllers and processors outside the EU whose processing activities relate to:
- The offering of goods or services to EU residents (even if for free)
- The monitoring of EU residents
Consequence of Non-Compliance
The maximum fine for a violation of the GDPR are substantial. Regulators can impose fines of up to 4% of total annual worldwide turnover or €20,000,000.
Key Changes Proposed by the EU GDPR
The GDPR is part of a more general European cybersecurity and digital market framework. It aims to harmonise the differing data protection laws in force across the EU. With its enhanced enforcement regimes and a greater emphasis on rights of individuals and accountability, the GDPR presents ambitious and comprehensive changes to data protection rules.
1. Expanded Scope
Territorial Scope, "Main Establishment", and the New Definition of Personal Data
The scope of the GDPR is expanded to include companies based outside the EU that are processing personal data about persons who are in the EU. Where the controller or processor is not established in the EU but is now within the scope of the GDPR, the controller or processor must designate in writing a representative in a Member State. If controllers or processors have establishments in more than one Member State, they must determine which of the establishments is the "main establishment." The new definition of personal data, which now includes pseudonymised data and online identifiers (such as IP addresses and cookie IDs), may also bring in scope certain processors that may not have needed to comply with data protection rules previously.
2. Formalised Recordkeeping Requirements
Privacy Impact Assessments, Data Processing Register, Data Breach Register, and New Obligations for Processors
The concept of accountability is at the heart of the GDPR rules. Your organisation will need to demonstrate that it has analysed the GDPR requirements and implemented a data protection programme to achieve compliance. The requirement to conduct privacy impact assessments is now formalised under the GDPR, as well as the requirement for controllers to maintain a formal, written record of processing activities (data processing register) and a personal data breach register. Certain of these obligations will require a review and change to existing agreements with processors as not only do processors now have direct obligations under the GDPR and can be liable to claims from data subjects but compliance with GDPR rules will require controllers to understand data risks posed by processors.
3. New Rights
The Right to Data Portability, the Right to Erasure, and the Right to Object
Individuals will have new rights to not only obtain a copy of his data from the data controller (the right of "access" currently in the Directive and the GDPR), but also to require the controller to have it transmitted to another controller or erased. Complying with these new requirements will mean the organisation needs to have a policy for determining when certain data is no longer necessary to be retained, how data subjects may withdraw his consent, and how to deal with data subject requests when he objects to the processing of his data. You will also want to pay attention to any new online businesses or consumer facing businesses, such as mobile apps or fintech initiatives where data is provided directly from the data subject, to formulate policies that identify how certain data can be stopped from being processed or can be transferred to a replacement provider upon request (especially when the recipient of the data could likely be a competitor).
Take Action to Prepare
Organisations have a two-year window to conduct risk assessments and prepare for the GDPR. Our checklist outlines key initial tasks to begin assessing compliance gaps.
Personal Data | Identify where
personal data is stored across the organisation
|
Third Party Management | Identify the
third parties from whom personal data is collected or to whom
personal data is transferred
|
Privacy Impact Assessments | Institute a
systemic and formalised PIA process
|
Data Processing | Map and risk
rank the current data processing activities
|
Breach Notification | Design data
breach response plans and notification procedures to meet the
72-hour deadline
|
Data Subject Rights | Develop policies
and procedures to respond to data subject requests
|
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.