20 Million Reasons to Get Serious with Data Protection
A profound overhaul of EU data protection rules is set to be finalized in the upcoming months as the European Parliament and Council are gearing up to formally adopt the General Data Protection Regulation (“GDPR”). The GDPR establishes a single set of data protection rules for all EU Member States, and it is likely to come into force in 2018. In anticipation of the new rules, key features of the regulation are summarized below.
Enhanced Privacy. While many of the core principles remain the same, the GDPR brings new rights to individuals, such as the right to object profiling. Data subjects will also be given the right to data portability, which enables them to transfer their personal data between controllers more easily. Further, the GDPR codifies the so called “right to be forgotten”.
Valid Consent. The GDPR introduces tougher conditions for processing personal data based on data subjects’ consent. Consent must be given by a clear affirmative action indicating an agreement between the controller and the data subject. This may be established by a written statement (for example electronically), or orally. Data subjects can provide consent by, e.g., ticking a box on an Internet website or choosing technical settings for information society services. It follows that silence, pre-ticked boxes, or inactivity do not constitute consent. Children under 16 years of age need parental approval to give their consent to the processing of their personal data online. Member States can reduce this minimum age to 13 years.
Wider Geographical Scope. Aside from EU-based businesses, the GDPR will also be applicable to companies established outside the EU, as long as their data processing activities are related to the offering of products or services in the EU, or as long as they monitor EU residents’ behavior. Non-EU companies may need to appoint an EU representative.
One-Stop-Shop Supervisory Authority. The GDPR introduces a so-called one-stop-shop mechanism with regard to the supervision of compliance with data protection rules. If a company is established in several EU member states, the data protection authority of the main establishment of a company will act as the lead data protection authority for that company. While this mechanism aims to streamline compliance for businesses, it is not all-encompassing and businesses will continue to be on the radar of other concerned data protection authorities as well.
New Administrative Burdens. The regulation sets new obligations concerning accountability, as controllers and processors must be able to demonstrate compliance with the GDPR, for example through codes of conduct. Controllers and processors must also keep records of their processing activities. Another novelty is the data protection impact assessment, which controllers are required to carry out when engaged in high-risk processing. Companies may also have to appoint a Data Protection Officer, for example when a company processes large amounts of sensitive data. The GDPR also introduces a uniform security breach notification requirement. In case a security breach leads to the accidental or unlawful loss, access, or disclosure of personal data, controllers are required to notify the competent supervisory authority and affected individuals without undue delay. However, there are some exceptions to the above-mentioned obligations, and SMEs enjoy a lighter-touch regime.
Data Protection by Design and by Default. The regulation requires companies to secure data protection by design and by default: controllers and processors must use measures that are designed to implement data protection principles into processing activities. It must also be ensured that only necessary data for each specific purpose is processed.
Agreements between Controllers and Processors. The GDPR introduces new requirements for controller-processor agreements. Among other things, agreements must stipulate that the processor shall process personal data only in accordance with documented instructions from the controller.
Direct Liability for Processors. The GDPR sets substantial and directly applicable obligations not only for controllers but for processors as well. Processors are liable for damages arising from processing that is noncompliant with obligations specifically directed to processors, or when a processor has acted outside or contrary to the controller’s instructions.
Severe Sanctions. The importance of complying with the new rules is underlined by significant administrative fines in case the GDPR provisions are violated. The maximum fine is the higher of 20 million euros or 4 % of the company’s total worldwide annual turnover in the previous year.
Practical Implications of the GDPR. As mentioned, the GDPR is likely to come into force in 2018. However, businesses can already prepare for the upcoming changes by reassessing their position in light of the revamped requirements. This may include updating privacy policies and data protection notices to address the new rights of data subjects, changing operational processes or IT systems to comply with the right of portability or the right to be forgotten, checking whether a Data Protection Officer should be appointed, and reviewing current archives and records to see if the company’s recordkeeping is in need of revising.
The requirement of privacy by design and by default may lead to companies having to design systems that comply with the GDPR at the outset of a new project. However, businesses have a degree of flexibility when complying with this requirement – aspects such as the nature, scope, context, risks, and purposes of the processing may be taken into account when choosing the appropriate technical and organizational measures to implement data protection principles.
Companies may also review customer-facing materials and the legal basis for their data processing. If necessary, preparations can be made to comply with the consent requirements. It may also be advisable to review agreements with processors to ensure they meet the GDPR requirements. In addition, keeping in mind the obligation to report data breaches, companies may consider drafting internal guidelines for handling such situations.
Back to News and Events »