New Data Protection Regulation in the EU
Published on 20th Feb 2017
The long-awaited General Data Protection Regulation (GDPR) will come into effect on 25 May 2018.
The GDPR constitutes the biggest change to the data protection regime in the EU since the 1995 Data Protection Directive, and introduces fundamental changes, including:
- harmonisation and further development of data protection regimes across the EU;
- extension of the regime to apply to non-EU businesses that operate in the EU (in line with EU e-commerce and consumer laws); and
- potential for businesses to be fined EUR 20 million or up to 4% of their worldwide turnover for serious violations of the GDPR.
1 Shifting the Balance Towards Consumers: Strengthening of Rights and Controls
One of the themes running through the GDPR is the strengthening of consumer rights and controls over how their data is processed. For example:
- Access to data: under the GDPR, individuals will be entitled to more extensive information about the data being processed about them, including the legal basis of the processing, the period of data storage, information about access and other rights over the data (including the right to lodge a complaint with a supervisory authority), details of any transfers outside of Europe and safeguards applied to them, plus contact details of the data controller’s data protection officer.
- Data portability: the GDPR is intended to make it easier for individuals to have their data transferred between service providers.
- Right to be forgotten: the GDPR will extend the right to be forgotten so that, where certain conditions apply (for example the data is no longer necessary for the purpose for which it was collected), individuals will be able to demand that their data be permanently deleted.
- Consent by minors: the GDPR will require providers of „information society services“ (such as social media companies) to collect parental consent to process personal data of users below the age of 16. However, Member States may lower the age limit to 13 years.
Privacy campaigners have long and vocally fought for these rights, which they see as necessary protections in a world where vast amounts of personal data are collected from today’s connected consumers, and subjected to increasingly sophisticated data mining techniques. For businesses, however, this will impose significant additional burdens and costs.
2 Key Changes for Tech, Media and Comms
For businesses, particularly those whose businesses revolve around the use of big data, the data protection regime post-GDPR will be more challenging, present greater risks, and cast its net far wider, but will at least allow more certainty and consistency across pan-European operations.
Key changes for businesses include the following:
- Scope: the GDPR will extend the scope of potential liability under the data protection in several ways:
- the GDPR will apply to data controllers that are not located in the EU, where their activities relate to offering goods and services to EU nationals (whether those goods or services are free or not) or where they monitor the behaviour of individuals who are in the EU; and
- data controllers and data processors will be jointly liable for any damage caused by a breach of the GDPR (currently only data controllers will be liable). This will have a significant impact on many companies currently acting as data processors, such as cloud service providers.
- Harmonisation: as a directly enforceable Regulation, the GDPR does not depend on individual Member States to implement it by passing their own national laws (as Directives such as the Data Protection Directive 1995 and the new NIS Directive would require). This will avoid much of the difficulty faced by international businesses in having to understand and comply with the nuances of several different local regimes within the EU. However, there are some areas where Member States will still have discretion to apply additional requirements.
- Limited “forum shopping”: The GDPR considerably limits the ability of companies to avoid certain national jurisdictions; whilst the supervisory authority of the main establishment or of the single establishment of the data controller or data processor will act as “lead supervisory authority”, other national supervisory authorities may still follow up on complaints lodged by data subjects in their jurisdictions. If, afterwards, both authorities cannot agree on a decision in the respective subject matter, they must ask the European Data Protection Board to resolve the dispute.
- Risk-based approach: Data controllers will be expected to assess their processing activities and the risks to individuals resulting from those activities and then to implement appropriate measures to comply with the GDPR. This puts the onus (and compliance risk) on businesses to decide what measures they put in place, rather than being able to follow specific legal requirements. However, this approach is likely to be underpinned by further guidance that will need to be considered and produced by supervisory authorities before the GDPR comes into force.
- Data breach notification: Under the GDPR, personal data breaches must be notified to the relevant supervisory authority normally not later than 72 hours after the data controller becomes aware of the incident. This obligation has a rather broad scope because it is triggered as a result of any accidental or unlawful destruction, loss, alteration or an unauthorised disclosure of personal data, unless it is unlikely to pose a risk to the individual. Affected individuals will also have to be notified in certain circumstances.
- Appointment of data protection officers: The GDPR requires mandatory appointment of data protection officers, at least for public sector entities as well as for businesses whose core business is the processing of “big data” or sensitive data. Member States might extend this obligation so that it is likely that the even stricter rules in Germany will survive.
- Data protection by design: Another new concept being brought in by the GDPR is the requirement for products and services to be designed with data protection in mind from the outset. Broadly, businesses will need to ensure from the outset that the processing of personal data is limited to that required to achieve the purpose for which it is required, and that access to that data is limited to those who need it.
- Notification scrapped: Controllers will no longer have to notify their data processing activities to supervisory authorities. Instead there is a requirement to keep internal records of data processing.
3 What are the challenges of implementing GDPR compliance?
As things stand, there are a number of uncertainties around the potential impact of the GDPR on the current legal regimes of EU Member States. Knowing where to start can, therefore, seem overwhelming. Even once you have a plan in place, or have identified areas of weakness, knowing which areas to focus on and prioritise can be difficult. In practice, there is no one-size-fits-all GDPR project plan, and the amount of work required will vary depending on a number of factors, including:
- existing obligations set out in each relevant EU Member State’s local data protection laws;
- the extent to which you are compliant with the data protection laws currently in force and how sophisticated your business is with respect to data protection;
- how much personal data you process and for which purposes, and how much of that falls into special categories of personal data;
- whether you are a data processor or a data controller;
- what policies and procedures you already have in place and how you document your data processing practices; and
- how straightforward your data processing activities are (for example, do you involve data processors? Do you export personal data outside of the EU?).
4 What this means & what you need to do
The impact of the GDPR cannot be overstated. The global digital economy is underpinned by data and the GDPR means that compliance issues associated with the use of data will need to be central to all personal data-based business operations. In particular, the GDPR’s data handling requirements, and the penalties for getting it wrong, make it clear to businesses across the world that if they intend to use data relating to individuals in the European Union they must proactively address privacy issues from now on.
Our advice is to take stock first and then to take it step-by-step, biting off one manageable-sized chunk of the GDPR pie at a time, so that you are ready for compliance on (or before) 25 May 2018. For anyone that has not already started a GDPR compliance project, the message is: Don’t panic yet, but the sooner you can start, the better.
We have developed this short guide and the accompanying infographic to help you kick off your GDPR compliance project, and to show you how we can help (as much or as little as you like) along the way.
You can also find further information in our flyer: Are you ready for GDPR compliance? A guide to what you need to do and when.