14 Oct Are you ready for the new European General Data Protection Regulation?
EU data protection law has come a long way over the last two decades. Regulation (EU) 2016/679 (the General Data Protection Regulation, or “GDPR”), which replaces Directive 95/46/EC (the “Directive”), was published on 4 May 2016 and marks the end of a four-year legislative process. It introduces a raft of sorely needed clarifications and updates, which will carry EU data protection law forward, well into the next decade. It also introduces major changes to the compliance burden borne by organisations. All in all, the GDPR represents a hugely significant step in the development of data protection as a concept and it is difficult to overstate its importance:
Wide-ranging: The GDPR will impact almost every organisation that is based in the EU, as well as every organisation that does business in the EU, even if based abroad.
Extremely serious: The GDPR dramatically increases the maximum penalties for non-compliance to the greater of €20 million, or four percent of worldwide turnover—numbers that are specifically designed to attract C-Suite attention.
Significantly raises the bar for compliance: The GDPR requires greater openness and transparency; it imposes tighter limits on the use of personal data; and it gives individuals more powerful rights to enforce against organisations.
Enforcement of the GDPR starts on 25 May 2018 and all affected organisations need to be prepared for their compliance with its provisions.
The GDPR replaces the current European data protection regime consisting of the 1995 Data Protection Directive and 28 national data protection laws. The GDPR will be directly applicable in every EU member state, without the necessity of national implementing laws. The Regulation contains many key changes, such as:
- Harmonisation: There will be a single set of rules on data protection, directly applicable in all EU member states, thereby mitigating the current fragmentation of national data protection laws.
- Stronger enforcement: Non-compliance could lead to heavier sanctions. The revised enforcement regime is underpinned by power for regulators to levy financial sanctions of up to 4 percent of the annual worldwide turnover of the organisation.
- Offshore processing: The GDPR will apply to companies established outside the EU that process data related to the activities of EU organisations. Non-EU companies will also be subject to the Regulation if they target EU residents by profiling, or proposing products or services.
- Governance: Organisations will have increased responsibility and accountability on how they control and process personal data.
- Consent: The Regulation requires a more active consent based model to support lawful processing of personal data; wherever consent is required for data to be processed, consent must be explicit, rather than implied.
- Transparency: Organisations will have increased transparency obligations; privacy notices will need to include much more detailed information.
- Data breaches: Organisations will be required to notify the local supervisory authority, and (in some cases) data subjects, of significant data breaches.
- Data portability: Organisations must ensure data subjects can easily transfer their data files from one service provider to another.
- Right to be forgotten: The GDPR consecrates the “right to be forgotten”, allowing data subjects the right to require a controller to delete data files relating to them if there are no legitimate grounds for retaining it.
- Data processors: Organisations processing data on behalf of other companies will be required to comply with a number of specific data protection related obligations. They will be liable to sanctions if they fail to meet these criteria.
- Data Protection Officer: Companies will have to appoint a Data Protection Officer when they are, for example, processing sensitive data. The DPO will report to the highest management level.
- One-stop-shop: A single national data protection authority will act as the lead regulator for compliance issues in the EU, where the organisation has multiple points of presence across the EU.
- Privacy impact assessment: A PIA will become a mandatory prerequisite before processing personal data for operations that are likely to present higher privacy risks to data subjects due to the nature or scope of the processing operation.
- Privacy by design and privacy by default: Companies must take privacy risk into account throughout the process of designing a new product or service, and adopt mechanisms to ensure that, by default, minimal personal data is collected, used and retained. An approved certification mechanism can be used to demonstrate compliance with the applicable requirements
Are you ready?
The implementation phase has started: You will have two years to ensure your data processing activities are in line with the soon to be adopted rules. It makes sense to undertake a snapshot assessment of the impact of the Regulation on the business, so that steps can be taken to identify and implement any necessary changes. So, you need to act now!
The EIMF will be introducing a series of seminars soon covering several aspects of the new law. Feel free to contact us to find out more by calling us at 22274470 for further information.