Towards the end of 2015, the EU institutions reached agreement on a new General Data Protection Regulation (GDPR) which will replace the 1995 Data Protection Directive, seeking to implement a stricter and more harmonised data privacy regime. The new GDPR, which was published in the Official Journal of the European Union on 4 May 2016 and is expected to come into force on 25 May 2018, is considered to be one of the most comprehensive overhauls of EU privacy legislation.

The key changes

Data processors

Under the new rules, obligations will extend to data processors for the first time; the current regulations only apply to data controllers. Data processors will need to comply with a range of specific obligations, including:

• maintaining adequate documentation;
• implementing appropriate security standards;
• carrying out regular data protection impact assessments; and
• appointing a data protection officer (DPO) in certain circumstances.

Processors can face direct sanctions, including fines, for not fulfilling their obligations. Meanwhile, data controllers must put in place a written data processing agreement meeting the GDPR requirements with any suppliers or agents who process data on their behalf.

Higher fines and tougher sanctions

The maximum level of fines for breaches of data protection rules will rise to an eye watering €20 million or up to 4 per cent of the total worldwide turnover of an undertaking (whichever is greater). The maximum current fine which the ICO can currently impose is a comparatively meagre £500,000.

GDPR will also make it easier for individuals to bring private claims against data controllers and processors, with Article 82(1) providing the right to receive compensation for any person suffering “material or non-material damage” as a result of a breach of the regulations.

Consent and right to erasure

It will become more important for companies to gain explicit consent from individuals whose personal data they wish to process. Greater powers will also be given to these individuals to remove their consent. Data subjects who are under a certain age (to be decided by the country’s specific regulator – between 13 and 16 years’ old) will not be able to give their consent themselves; this must instead be sought from their parents.

The so-called “right to be forgotten” will be enshrined as a “right to erasure” in the regulations, essentially requiring website providers to remove personal data which an individual requests to be deleted.

Data portability

The GDPR introduces a right to data portability, which essentially means that a data subject can request their data to be transmitted to themselves or another data controller in a “structured and commonly used and machine-readable format”.

Breach notifications

Data controllers will be required to notify the Information Commissioner of any data breaches “without undue delay” and, where feasible, within 72 hours. Additionally, any breaches which are likely to pose a “high risk to the rights and freedoms of individuals” must be notified to the data subjects “without undue delay”. Data processors need to notify data controllers if there has been a breach.

Scope of personal data widened

The definition of “personal data” will be given a far wider meaning by the GDPR, to encompass “any information relating to an identified or identifiable natural person”. It will also broaden the scope of sensitive personal data to capture genetic and biometric data (such as fingerprints and retinal scans), with a far stricter regime governing such “special categories”.

Data protection officers and privacy by design

Any large scale data controllers or processors who handle personal data routinely or process sensitive data – such as public authorities – must appoint a data protection officer (DPO) with “expert knowledge” of data protection law and practices.

There will also be an emphasis on “privacy by design” and “privacy by default” – which essentially means that organisations need to ensure that data protection measures are baked into their procedures. The current requirement to notify the ICO of data processing activities will be scrapped and replaced by a general obligation to keep thorough internal records.

Pseudonymisation

The GDPR introduces the concept of pseudonymisation, according to article 4 (5) meaning “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person”. Methods such as encryption, hashing or tokenisation can be used in the process of pseudonymising data. Although not specifically requiring pseudonymisation, the GDPR encourages it and notes that it can help to prevent companies falling foul of their data protection obligations.

Harmonisation and territorial reach

GDPR will become law across the EU without any need for secondary legislation, so will generally lead to a more harmonised regime. Organisations which are not established within the EU will still be covered by GDPR requirements if they process personal data related “to the offering of goods or services” or the monitoring of the behaviour of EU citizens.

The impact of Brexit on the GDPR

With the referendum decision of Britain to leave the EU still ringing in our ears, what is the fate of the GDPR on these shores? Given that article 50 is unlikely to be triggered until at least 2017, and that negotiations are expected to take a minimum of two years, it looks almost certain that UK businesses will be affected by the long arm of GDPR when it comes into force on 25 May 2018.

If Brexit actually goes ahead, UK businesses will still be covered by the rules of GDPR – just as organisations in any other non-EU country – if they process personal data related “to the offering of goods or services” or the monitoring of the behaviour of EU citizens. As so much business now involves the free-flow of information online, it will be necessary to have an overall relevant data protection agreement in place for purposes of cross-border trade. Building such an agreement could involve joining the European Free Trade Association (EFTA) and remaining in the European Economic Area (EEA) – or leaving the EEA and seeking a decision of “adequacy” from the European Commission.

Further reading

Council of the European Union: Final text of the GDPR

DLA Piper: EU General Data Protection Regulation – Key Changes

Osborne Clarke: Agreement reached on a new General Data Protection Regulation: implications for business

Michelmores: Out with the old, in with the new – the upcoming changes to Data Protection Law

TLT: Get ready for General Data Protection Regulation

Eduardo Ustaran: A way forward for UK data protection

Bird & Bird: Brexit: Data protection and cyber security law implications

Alex Heshmaty is a legal copywriter and journalist with a particular interest in legal technology. He runs Legal Words, a copywriting agency in Bristol. Email alex@legalwords.co.uk. Twitter @alexheshmaty.

Image cc by KamiPhuc on Flickr.