The EU General Data Protection Regulation ("the GDPR"), which was approved on 14 April 2016, is the biggest change in EU data protection law for 20 years. It replaces Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which currently regulates the processing of personal data within the European Union. Unlike the directive it replaces, the GDPR applies directly throughout the EU, without any need for national legislation to implement it, although certain issues under the Regulation, such as the age of consent and the use of criminal records in employment, will still be determined at a national level.
The objective of the GDPR is to ensure that all organisations processing personal data are held accountable for safeguarding people's fundamental right to the protection of their personal data. The GDPR imposes a much more rigorous regulatory framework than has hitherto applied for the processing of personal data. Serious contraventions will be punishable by fines of up to EUR 20 million or 4% of total annual worldwide turnover, whichever is greater.
The main changes introduced by the GDPR include:
- An extended definition of "Personal Data" – The GDPR adopts a broader definition of personal data than the directive it replaces, bringing more types of data within the scope of the regulation, reflecting the increase in the use of the internet.
- Data Protection Officer (DPO) – The appointment of a DPO will be mandatory for organisations which process personal data on a large scale. The role of the DPO is to ensure compliance with the organisation's accountability program and the data protection impact assessment.
- Consent – The general rules for obtaining valid consent have changed. Obtaining consent to process personal data will be more difficult to prove and achieve. Also, a topic of huge debate relates to parental consent being required for children to receive information society services. The compromise (that Member States can lower the age from 16 to 13) may result in a lack of harmonisation.
- One-stop shop – The GDPR introduces the principle of a "one-stop shop". This means that data controllers will only have to deal with a single supervisory authority, the authority of the member state where the controller has its main establishment, instead of each of the other EU member states where the controller may also be established. This will reduce the administrative burden on data controllers and ensure regulatory consistency for internet service providers with offices in more than one EU member state.
- The right to be forgotten – Subject to certain specified conditions, data subjects will have the right to require data controllers to erase personal data concerning them without undue delay. A controller who has made the personal data public must also inform other controllers who are processing such personal data to erase any links to, or copies or replications of the data.
- Extension to businesses outside the EU – Non-EU entities which carry out business in the EU with EU data subjects' personal data must comply with the GDPR.
- Data protection by design – Data controllers must implement appropriate technical and organisational measures and procedures to ensure that processing safeguards the rights of the data subject by design.
- Data breach and consequences – In the event of a personal data breach, the controller must immediately notify the data subject of the breach and the competent supervisory authority within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it must be accompanied by an explanation of the reasons for the delay.
- Introduction of new compliance measures – Mandatory data protection impact assessments have been introduced, which require processors to undertake a risk assessment before carrying out higher-risk data processing activities such as processing sensitive data or data relating to criminal convictions and offences, and systematic monitoring of a publicly accessible areas.
The deadline for compliance is 25 May 2018 and, given the substantial penalties and risks associated with breach of the Regulation, companies and organisations should be taking early action to ensure that they meet its requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.