The final draft of the new European General Data Protection Regulation (GDPR) was agreed on 15 December 2015 and, once it has been approved by the European Parliament in early 2016, is expected to take effect by early 2018. This reform aims to update data protection law to address the challenges of the digital age while simultaneously protecting the rights of individuals and enabling businesses to utilise personal data in a more consistent manner across the European Union. The GDPR will be directly applicable in the same form in all EU Member States with the intention of reducing the burden on international organisations that, up until now, have had to vary their compliance to satisfy the particular data protection requirements of each Member State.
The key points to take away from the GDPR are as follows:
- International application of the GDPR
European data protection law will now apply depending on the type of data processing being undertaken and not necessarily depending on where that processing is being carried out. In addition to data controllers (persons that determine the purposes for which personal data is processed) that are established in the European Union, data controllers located outside the EU that process personal data in relation to offering goods or services to individuals within the EU, or as a result of monitoring individuals within the EU, will be subject to the GDPR. Non-EU organisations will need to consider whether their activities are caught by the GDPR and whether they must appoint a European representative to take responsibility for their actions.
- Tougher sanctions
The GDPR has substantially increased the maximum fine that may be imposed on organisations that breach EU data protection law. The maximum fines for a breach of the GDPR will be 4% of an enterprise's worldwide turnover or €20 million, whichever is higher.
- Data breach notification obligations
GDPR introduces an express obligation for controllers to notify breaches of security relating to personal data to the relevant data protection authority where the breach is likely to cause a degree of risk to the data subject. Data controllers must notify the authority without undue delay and where feasible within 72 hours of the breach. Where an authority has not been notified within 72 hours, a reasoned justification for the delay must also be given. Controllers must also communicate the fact that there has been a personal data breach to the data subject without undue delay where there is a high risk to the individual's rights and freedoms. Data processors (persons that process personal data on a data controller's behalf) must notify the relevant data controller of a security breach without undue delay. Policies of controllers and processors that relate to responding to security breaches will need to be amended and tested ahead of the implementation of the GDPR.
- Liability for data processors
Data processors will have direct obligations to comply with the GDPR under certain circumstances and data protection authorities may take action against them for breaching the GDPR. Processors will be held accountable for their own level of appropriate security and must document their processing to the same extent required by controllers under the GDPR. Processors must obtain the prior consent of the controller to employ sub-processors, while controllers must only use processors that provide sufficient guarantees to implement appropriate technical and organisational measures to meet the requirements of the GDPR. Data controllers will need to amend their contracts with processors (typically service providers) to address the shift in the processors' responsibilities.
- Privacy by design
GDPR introduces the concept of 'privacy by design', whereby appropriate levels of security are built-in to an organisation's data processing procedure. Data controllers are required to take a proactive approach to ensure that an appropriate standard of data protection is the default position taken when personal data is being processed. The controller must take into account the cost of implementing the required technical and organisational measures. Controllers need to consider the risks posed to individuals by the processing instead of setting precise benchmarks for compliance, and make suggestions about how to minimise risk, for example using anonymisation or pseudonymisation.
- Stricter governance
Data controllers will be required to undertake impact assessments for higher risk processing. These assessments would generally include an evaluation of the risk posed to the data subject as well as the measures envisaged to address the risk. The data controllers and data processors will need to appoint a data protection officer to carry out relevant assessments of an organisation's data processing in certain circumstances.
- Strengthening of data subjects' rights
An individual will have the right to have their personal data removed from a controller or processor's system or online content (the 'right to be forgotten'). Controllers will need to judge whether freedom of expression and information prevails over the protection of personal data. Individuals will also have the right not to be subject to automated data profiling (where this would produce a 'legal effect'). An individual will also have the right to be given a copy of the personal data relating to them by a data controller in a commonly used format and to have that information transmitted to another data controller without hindrance (the 'right to data portability').