What do you need to do?
The EU General Data Protection Regulation (GDPR) will take direct effect in EU Member States on 25 May 2018. It will replace, and to a large extent harmonise, current national rules which transpose the current EU Data Protection Directive (DPD). Local data protection laws will fill remaining gaps.
Here's a quick guide to the headline changes and how they will impact your operations. Time is ticking for organisations to get ready for GDPR.
1. A gear change in risk
Anti-trust style fines of up to 4% of global annual turnover for a wide range of breaches.
Practical impact: The GDPR marks a huge increase in regulatory risk. Privacy compliance needs to be given a higher priority, and appropriate resourcing. Getting the basics wrong – for example failing to obtain valid consent or breaching the data protection principles – can attract the highest level of fines.
2. Harmonisation of laws and "one stop" enforcement?
GDPR aims to iron out differences between national privacy laws within Europe and to introduce "one stop" enforcement for multinationals via a lead regulator in the Member State where the organisation has its main establishment.
Practical impact: The reality will be more complex. The GDPR is a regulation and will therefore become directly effective across the EU. However, Member States can still implement their own rules on some 50 aspects of the GDPR, so it will still be necessary to take local advice and tailor compliance. Multinationals may still need to deal with multiple regulators, if breaches have a cross border angle.
3. Non-EU organisations are caught
All organisations operating in, or targeting individuals in, the EU will be caught, regardless of the location of servers.
Practical impact: Non EU organisations targeting EU citizens with goods or services will be expressly caught by the rules. In-scope organisations need to designate a representative in the EU to act as a point of contact with regulators and data subjects on compliance matters.
4. Far more data is in scope
The new definition of personal data is wider, intended to capture the world of digital marketing and to future proof the rules for ever-evolving technologies.
Practical impact: The new definition includes online identifiers and location data. Organisations need to map their data flows, review the type of data they capture about individuals and ensure all relevant processing meets the new standards. To reduce risk, data should be minimised, and where possible, pseudonymised.
5. Stricter rules on governance and documentation
There is a more formal approach to governance, accountability and documentation.
Practical impact: Organisations will need to devote more resource to privacy compliance and keep systematic records to demonstrate that they are complying. Many organisations will need to appoint a suitably qualified Data Protection Officer or engage an external consultant.
6. Increased rights and remedies for individuals
Individuals have even stronger rights and remedies, and the information which data controllers provide to them needs to be fuller, more transparent and user-friendly.
Practical impact: Data controllers need to:
- review and redraft their privacy policies and consent notices
- put in place better processes for responding to subject access requests within the shorter new deadline.
7. Higher standard for consent and other conditions
A higher threshold for consent and an emphasis on recording clear, granular preferences.
Practical impact: Organisations will need to ensure they can demonstrate a lawful basis for all processing. Existing consents will need to be reassessed to ensure they meet the higher new standard, and opt outs must be respected. Profiling, and the processing of sensitive personal data, will usually require the explicit consent of the individual. Processing agreements with suppliers will have to be updated.
8. Privacy by design, data minimisation and impact assessments
Privacy compliance needs to be factored in to projects, systems and processes proactively from day one
Practical impact: New projects, products and systems will need privacy input from the start.
9. Security standards and breach notification requirements
All data controllers must comply with strict new deadlines for notifying data breaches to regulators and affected individuals. This increases the risk of negative publicity and reputation damage.
Practical impact: Organisations need to re-assess their security measures regularly and develop breach and crisis response plans. In commercial deals, the increased security obligations will need to be reflected in more robust contractual obligations.
10. Impact on international data transfers
The basic prohibition on extra-EEA transfers remains. The existing adequacy mechanisms that organisations can use to make such transfers lawful (and some new options) are fleshed out in more detail, and are made subject to stronger controls.
Practical impact: Organisations should review the mechanisms they and their suppliers (e.g. cloud vendors) rely on to make US (and other non EEA) transfers lawful. Against a backdrop of continued uncertainty about the lawfulness of transfers to the US, they should keep watch for the latest guidance from regulators.
Finally... what's the impact of Brexit?
For organisations operating in or with the UK, the recent referendum vote on Brexit adds a further twist: at the time of writing (August 2016) it is still far from clear what form the UK's future legal and constitutional relationship with the EU will take. For now, the working assumption is that, in order to preserve the free flow of data with the EU, the GDPR – or equivalent rules - will continue to apply in the UK.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.