The new EU General Data Protection Regulation (GDPR) radically overhauls the existing data protection legislation. We look at its implications for businesses and what steps they need to take now.
The new General Data Protection Regulation (GDPR) comes into force on 25 May 2018. That seems some way off but with a greater regulatory burden and onerous new sanctions, businesses are wise to make plans now. Even though this is EU legislation, it seems unlikely Brexit will come to the rescue given the timeframe.
In any event, non-EU controllers and processors will be caught under the GDPR where the processing activities are related to the offering of goods or services to data subjects in the EU, or the monitoring of their behaviour.
The GDPR will apply to anyone who is a “data controller” or “data processor”. A “data controller” is a person (or company) who (either alone, jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is, or is to be, processed. A “data processor” is a person (or company) that processes data on behalf of a data controller.
So what are the major changes?
1. Bigger fines
Under the GDPR, both data controllers and data processors can be fined for breaches of data protection.
There are two tiers of fines for companies that fail to comply with the legislation. The level imposed will depend on the nature of the infringement. The lower tier is a fine of the greater of €10 million or 2% of a business’s worldwide annual turnover. At the higher tier, fines can be up to €20 million or 4% of a business’s worldwide annual turnover.
There are onerous obligations on data controllers to show compliance. This includes maintaining specific documentation, conducting impact assessments and implementing data protection by design, ie to ensure data minimisation.
3. Direct obligations and notifications
Data processors will have direct obligations for the first time. These include maintaining written records of processing activities and notifying the controller on becoming aware of data breaches within 72 hours (where feasible). Individuals must be notified where the occurrence of the incident could cause them serious harm.
It must be easy for the data subject to withdraw consent to the processing of their personal data. Also, subjects will need to give explicit consent for certain sensitive data. Where personal data is processed for direct marketing the data subject must expressly give consent or “opt-in”. In addition, the data subject will have a right to object to their personal data being used for marketing purposes and this right must be explicitly brought to their attention.
5. Definition of personal data
The definition of ‘personal data’ has been widened. It will now cover any information related to identified or identifiable living individuals, including pseudonyms.
6. Greater transparency
More information will need to be provided to individuals about personal data that is being collected, for what purpose, for how long and to whom, and to where it is being transferred.
7. Right to be forgotten
Individuals will be able to request that their personal data is deleted. Where the personal data has been made public, they can also request that other controllers processing the personal data erase links to such personal data.
8. Data portability
This is a new right. A data subject will be entitled to obtain from the controller a copy of his or her data in a structured, commonly used and machine-readable format. The data subject will be able to request that the personal data is sent directly to another controller, where feasible.
The rules requiring controllers to put in place policies and documented procedures to ensure (and evidence) compliance with the GDPR will be tighter. Full documentation and records will be important to avoid or reduce fines.
10. Data protection officers
In certain circumstances, it will be necessary for public authorities and private companies to appoint a data protection officer. This will apply where core activities involve large-scale monitoring or processing of sensitive data, or data on criminal convictions. A data protection officer must operate independently and must not take instructions from his or her employer.
What steps should you take now?
- Prepare for breaches and put in place clear policies and procedures in case any infringements occur.
- Have policies in place to show that you have met the required standards and ensure staff are adequately trained.
- Make sure privacy by design forms part of your data processing.
- Check what consents you need from data subjects and make sure procedures are in place to obtain these.
- Ensure information about data that you provide to subjects is clear and unambiguous.
- Have processes in place to comply with the new requirements dealing with the deletion and portability of data.
The new regulation has been four years in the making and contains complex, detailed provisions. The information above is necessarily a summary of it and should not be relied on as formal advice.
If you have any queries concerning the GDPR and how it may affect your business, please contact Lee Gabbie at firstname.lastname@example.org, Choy Lau at email@example.com or Lisa Rice at Lisa.firstname.lastname@example.org or call 0207 404 9400 and ask to speak to a member of our employment team.