The European Commission plans to unify data protection within the European Union (EU) with a single law, the General Data Protection Regulation (GDPR). Currently, there is a directive (EU Data Protection Directive 95/46/EC) regulating the processing of personal data within the EU. The Data Protection Act 1998 is the UK implementation of this. The GDPR will supersede the Act, prompting fundamental changes to how organisations must process personal data.

For the regulation to be passed, the European Commission, European Parliament and European Council must jointly agree on the final text of the GDPR (each currently has its own preferred version). On 15th June 2015, the European Council approved its version of the GDPR meaning a final version is to be agreed by the end of 2015.

What are the changes?

Whilst yet to be fully agreed, the key changes are likely to include:

  • Scope – The regulation applies to all organisations and people based in the EU and unlike the existing directive, will also apply to organisations outside of the EU if they provide goods or services to, or process the personal data of EU residents.
  • One Stop Shop – Currently, businesses operating across the EU can be forced to answer to data protection authorities in each EU country leading to multiple investigations on the same issue and potentially different enforcement actions. The reform proposes cases are handled by a single regulator based in the EU country where the business has its main establishment. 
  • Privacy by Design and by Default – Data protection must be built into the design of business processes for products and services during development. By default, privacy settings for processes should be restricted.
  • Data Protection Officers (DPOs) – Independent DPOs may be required depending on the organisation or magnitude of personal data processing. Criteria have yet to be agreed, or whether DPOs will be mandated by the GDPR. 
  • Consent – For data to be collected and processed, explicit consent must be obtained. The right to withdraw consent must also be communicated.
  • Data Breaches – Breaches to be reported to Supervisory Authorities and affected individuals without undue delay. There is no such obligation currently.
  • Sanctions – Potential sanctions for non-compliance will be significantly greater, including maximum fines of €1m or 2% of annual worldwide turnover, whichever is greater.
  • Right to Erasure / Right to be Forgotten - Data subjects to have the right to request the erasure of their personal data.
  • Data Portability – Data subjects could request personal data in a format that can be easily transmitted electronically to another processing system.

When are the changes expected?

With the European Council approving its version of the GDPR, all three parties (European Commission and European Parliament as well) have approved their own version.  For the regulation to be passed there must be agreement on a single version.

A series of trilogue meetings will be held.  Key points and key differences will be discussed and negotiated.  In December 2015, subject to agreement between the three parties, it is envisaged that the GDPR will be published.

The GDPR will come into force two years after the publication date (December 2017) replacing the existing Data Protection Act 1998. As a regulation and not a directive, the GDPR will have an immediate effect on all EU Member States after this two-year transition and does not require any legislation to be passed by member governments.

What does this mean for you?

The GDPR is likely to require a number of substantial changes to business processes and introduce the following challenges:

  • Increased governance requirements particularly regarding security arrangements
  • Changes to business culture, such as embedding a culture of 'privacy by design'
  • Increased costs to implement new processes, controls and potentially the cost of an independent DPO
  • Financial risks brought by potentially substantial fines for non-compliance.

What does this mean for internal audit?

Internal audit will be vital in identifying the risk exposures introduced by the new legislation and providing assurance to Audit Committee's that these exposures have been mitigated through adequately designed and effective controls.

With the regulation expected to be announced at the end of 2015, your organisation will need to begin planning and implementing the required changes as early as next year. Following implementation of these changes, internal audit should play a key role in ensuring that new processes are compliant with the new regulation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.