Legislative bodies in Europe have agreed radical reforms to European Union data protection guidelines but it will take time, money and careful planning to comply with them.
Following months of negotiation and into-the-night discussion the European Parliament, European Commission and European Council have reached agreement on plans outlined in the General Data Protection Regulation (GDPR).
The draft GDPR, which is set to receive formal approval later this year, is expected to come into force in the first quarter of 2018.
With the vast majority of businesses dealing with the personal data of employees, customers and other third parties on a daily basis, the GDPR will have a significant impact.
Additional compliance requirements for non-EU businesses
The draft GDPR will broaden the application of EU data protection principles to include non-EU businesses which:
- either offer goods or services to EU citizens for whom they hold personal data, or
- engage in activity which involves the monitoring of their behaviour.
Non-EU businesses caught by this provision may need to appoint an EU representative depending on the extent of the processing undertaken and the associated risks.
Consistency across member states
The draft GDPR will provide for businesses operating in more than one member state to have a lead supervisory authority (SA) in the state where the organisation is based.. The lead SA will regulate activities across the EU but will also have to co-operate with local SAs who will be able to challenge its decisions.
The draft GDPR will make significant changes to the existing provisions regarding consent. It will require consent to be specific, informed, unambiguous and freely given in order to be acceptable.
Explicit consent will be necessary where sensitive data is involved. Parental consent for children under 16 (unless the member state provides for a lower age of consent but not lower than 13) will be required in respect of online services.
The GDPR will also require data subjects to have the right to withdraw their consent as easily as they provided it.
Record keeping & Data Protection Officers
Businesses will need to keep detailed internal records of processing and policies in order to demonstrate compliance with the draft GDPR. Data will need to be kept and maintained in a format that can be provided to the appropriate SA upon request. Exemptions will, however, be available to businesses with fewer than 250 employees.
The appointment of a data protection officer will also be required for public bodies and businesses involved in the large-scale and systematic monitoring of data subjects or the processing of sensitive data or criminal offences.
Member states will also be entitled to make their own provisions for the appointment of a data protection officer in wider circumstances.
The draft GDPR will place onerous reporting obligations on businesses, requiring them to notify the appropriate SA and the affected individuals of serious breaches as soon as possible and in any event within 72 hours of the breach occurring. Businesses will be expected to be able to justify any delay in notification.
Additional rights of data subjects
Data subjects will be afforded greater rights under the draft GDPR. These will include the right to request the deletion of personal data and the right to request a copy of their personal data in a commonly used format. All data subjects’ rights will generally need to be complied with free of charge, and within a one month period, except in excessive and/or complex cases.
Direct compliance by data processors
The draft GDPR will introduce direct compliance obligations for data processors. Failure to comply with these obligations will place processors at risk of substantial fines as well as making them directly liable to data subjects. This is a significant change which may demand amendments to existing and future processing and supply agreements.
Fair Processing Information
Under the draft GDPR data subjects will need to be provided with additional information about the processing of their data. This will include the period for which the data will be stored, the legitimate interests of the data controller and details of the data subject rights.
The European Data Protection Board (EDPB)
The draft GDPR will establish a new body which will be referred to as the European Data Protection Board (EDPB). The EDPB will issue opinion and guidance on the draft regulations as well as assisting with its interpretation.
Increased enforcement powers
Finally and perhaps most importantly, the draft GDPR will substantially increase the fines for non-compliance with data protection provision.
Currently, under UK law, the Data Protection Commissioner has the power to impose fines up to £500,000 for serious contraventions of the Data Protection Act.
Under the draft GDPRs the maximum fine will be 20 million euros or 4% of a businesses’ worldwide turnover, whichever is the greater. Member states will also have the option of enacting criminal sanctions for breach of the regulations.
While the implementation of the GDPR may seem a long way off, it is important that businesses take steps to familiarise themselves with the new provision now.
Responding to the changes will involve carefully reviewing and amending existing data protection processes and procedures to bring them in line with the new regulations. Ensuring compliance with the GDPR is likely to require considerable time, money and very careful planning.