Businesses (including many outside the EEA) now have less than nine months to prepare for the EU General Data Protection Regulation (GDPR), which overhauls a data protection regime dating from 1995.
The GDPR becomes effective across the European Economic Area (EEA), including in the UK, from 25 May 2018. It will also apply to a large number of businesses established outside of the EEA. With large potential fines (up to 4% of global turnover or €20 million), risk of claims from individuals and reputational damage, businesses need to make the necessary changes to their business practices now in order to be prepared when the GDPR 'goes live' in May 2018.
Under the GDPR the obligations on data controllers will substantially increase and data processors will also have data protection obligations. For example, in accordance with a new focus on accountability, data controllers and processors will be required to keep records of their processing. Contracts with processors will need to be updated to include new mandatory provisions. Privacy notices will need to be updated. 'Consent' will be more difficult to obtain and may need to be refreshed. Principles of 'privacy by design' mean that organisations must look at their processing and assess whether it is really necessary. Under the new definition of personal data, online identifiers such as cookies and IP addresses can make an individual 'identifiable'. The definition of 'sensitive' personal data also contains new elements such as genetic data. We discuss below some of the key elements that require action now.
Application outside of the EEA
International businesses cannot afford to ignore the GDPR just because it originates in the EU. The GDPR applies to a non EEA organisation if it has a presence in the EEA, or it monitors the behaviour of individuals within the EEA (for example via cookies) or it offers products or services to individuals within the EEA. It also applies where EEA Member State law applies in accordance with international law. Coupled with the fact that the GDPR also imposes obligations on processors, this EU Regulation significantly widens EU regulators' jurisdiction.
GDPR in the UK post Brexit?
The GDPR will be specifically incorporated into UK law by a new Data Protection Bill which is intended to go beyond the GDPR in setting "the gold standard on data protection". For example, the UK Bill will introduce criminal offences for intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data, and for altering records with the intent to prevent disclosure following a subject access request. Although the GDPR is intended to be a 'one stop shop', all EEA Member States will have a data protection law to set out their enforcement mechanisms and to use their discretion on certain elements of the GDPR where this is permitted. Germany, for example, approved a new Data Protection Act in May 2017.
So what should you do?
We discuss below nine key issues to consider when preparing for the GDPR, and some immediate steps which businesses should take in order to deal with them. You can also find a brief overview of some of the main provisions of the GDPR in our client alert of April 20161.
1. Controller or processor – what are your obligations?
Whilst the definitions of data controllers and processors have not changed, processors will also be liable for some, but not all, elements of the GDPR and there are new mandatory data protection elements which must be included in contracts with processors.
Since the penalties for non compliance will be much higher, now is a good time for businesses to take stock of their legal status and obligations, and to revisit their contracts with service providers. As is currently the case, under the GDPR it is data controllers who make the decisions on how and why data are processed whereas data processors act only on the instructions of the controller. Businesses may act as a data controller or as a data processor in respect of different data sets, as may their service providers.
To view the full article please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.