Towards the end of 2015, the EU institutions reached agreement on a new General Data Protection Regulation (GDPR) which will replace the 1995 Data Protection Directive, seeking to implement a stricter and more harmonised data privacy regime. The new GDPR, which was published in the Official Journal of the European Union on 4 May 2016 and is expected to come into force on 25 May 2018, is considered to be one of the most comprehensive overhauls of EU privacy legislation.
The key changes
Under the new rules, obligations will extend to data processors for the first time; the current regulations only apply to data controllers. Data processors will need to comply with a range of specific obligations, including:
- maintaining adequate documentation;
- implementing appropriate security standards;
- carrying out regular data protection impact assessments; and
- appointing a data protection officer (DPO) in certain circumstances.
Processors can face direct sanctions, including fines, for not fulfilling their obligations. Meanwhile, data controllers must put in place a written data processing agreement meeting the GDPR requirements with any suppliers or agents who process data on their behalf.
Higher fines and tougher sanctions
The maximum level of fines for breaches of data protection rules will rise to an eye watering €20 million or up to 4 per cent of the total worldwide turnover of an undertaking (whichever is greater). The maximum current fine which the ICO can currently impose is a comparatively meagre £500,000.
GDPR will also make it easier for individuals to bring private claims against data controllers and processors, with Article 82(1) providing the right to receive compensation for any person suffering “material or non-material damage” as a result of a breach of the regulations.
Consent and right to erasure
It will become more important for companies to gain explicit consent from individuals whose personal data they wish to process. Greater powers will also be given to these individuals to remove their consent. Data subjects who are under a certain age (to be decided by the country’s specific regulator – between 13 and 16 years’ old) will not be able to give their consent themselves; this must instead be sought from their parents.
The so-called “right to be forgotten” will be enshrined as a “right to erasure” in the regulations, essentially requiring website providers to remove personal data which an individual requests to be deleted.
The GDPR introduces a right to data portability, which essentially means that a data subject can request their data to be transmitted to themselves or another data controller in a “structured and commonly used and machine-readable format”.
Data controllers will be required to notify the Information Commissioner of any data breaches “without undue delay” and, where feasible, within 72 hours. Additionally, any breaches which are likely to pose a “high risk to the rights and freedoms of individuals” must be notified to the data subjects “without undue delay”. Data processors need to notify data controllers if there has been a breach.
Scope of personal data widened
The definition of “personal data” will be given a far wider meaning by the GDPR, to encompass “any information relating to an identified or identifiable natural person”. It will also broaden the scope of sensitive personal data to capture genetic and biometric data (such as fingerprints and retinal scans), with a far stricter regime governing such “special categories”.
Data protection officers and privacy by design
Any large scale data controllers or processors who handle personal data routinely or process sensitive data – such as public authorities – must appoint a data protection officer (DPO) with “expert knowledge” of data protection law and practices.
There will also be an emphasis on “privacy by design” and “privacy by default” – which essentially means that organisations need to ensure that data protection measures are baked into their procedures. The current requirement to notify the ICO of data processing activities will be scrapped and replaced by a general obligation to keep thorough internal records.
The GDPR introduces the concept of pseudonymisation, according to article 4 (5) meaning “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”. Methods such as encryption, hashing or tokenisation can be used in the process of pseudonymising data. Although not specifically requiring pseudonymisation, the GDPR encourages it and notes that it can help to prevent companies falling foul of their data protection obligations.
Harmonisation and territorial reach
GDPR will become law across the EU without any need for secondary legislation, so will generally lead to a more harmonised regime. Organisations which are not established within the EU will still be covered by GDPR requirements if they process personal data related “to the offering of goods or services” or the monitoring of the behaviour of EU citizens.
The impact of Brexit on the GDPR
With the referendum decision of Britain to leave the EU still ringing in our ears, what is the fate of the GDPR on these shores? Given that article 50 is unlikely to be triggered until at least 2017, and that negotiations are expected to take a minimum of two years, it looks almost certain that UK businesses will be affected by the long arm of GDPR when it comes into force on 25 May 2018.
If Brexit actually goes ahead, UK businesses will still be covered by the rules of GDPR – just as organisations in any other non-EU country – if they process personal data related “to the offering of goods or services” or the monitoring of the behaviour of EU citizens. As so much business now involves the free-flow of information online, it will be necessary to have an overall relevant data protection agreement in place for purposes of cross-border trade. Building such an agreement could involve joining the European Free Trade Association (EFTA) and remaining in the European Economic Area (EEA) – or leaving the EEA and seeking a decision of “adequacy” from the European Commission.
Council of the European Union: Final text of the GDPR
Eduardo Ustaran: A way forward for UK data protection
Alex Heshmaty is a legal copywriter and journalist with a particular interest in legal technology. He runs Legal Words, a copywriting agency in Bristol. Email email@example.com. Twitter @alexheshmaty.
Image cc by KamiPhuc on Flickr.Tweet