Key changes introduced under the GDPR
The introduction of the GDPR heralds the most significant change to data protection law in the EU, and globally, in recent years. The GDPR does not fundamentally change any of the core rules in the 1995 Data Protection Directive. Instead, it extends the Directive’s requirements significantly by introducing a range of new obligations for organisations to support those core rules.
Scope of the GDPR
The Regulation is directly effective in all EU member states from 25 May 2018 without the need for further national legislation. However, some national divergences will remain because member states have limited rights to amend some of the obligations under the Regulation.
Organisations that are established in multiple EU states will be able to nominate a single national data protection authority to act as the lead regulator for all of that organisation’s data protection compliance issues in the EU. This should limit the administrative burden for organisations based in multiple countries, which otherwise would have had to interact with a different regulator in each member state they operate in.
Expanded territorial reach
The GDPR applies to all organisations – whether commercial business or public authority – that collect, store or process the personal data of EU individuals, “whatever their nationality or residence”. Organisations based outside the EU that monitor or offer goods and services to individuals in the EU will have to observe the Regulation and provide the same level of protection of personal data.
Data processors now included
The GDPR directly regulates data processors – service providers that process personal data on behalf of organisations. Processors need to comply with a number of obligations, including maintaining adequate documentation, appropriate security standards, data protection impact assessments and rules on international data transfers. Organisations and data processors can now be held jointly liable for data breaches.
More rights for individuals
Sensitive personal data
Stricter controls have been placed on the processing of sensitive personal data, whose definition has been expanded to include genetic and biometric data, such as fingerprints and retina scans. Personal data also includes unique online identifiers, including IP addresses and mobile device identifiers, and geolocation data about an individual.
Consumer consent to process their personal data must be given freely and for the purposes specified. Consent forms should be laid out in clear and simple terms, outlining the purpose of data collection and processing, and onward data transfers to third parties. Silence or inactivity does not constitute consent. Consent from a child under 16 for online services is only valid if authorised by a parent.
Individuals’ data rights
The “right of portability” and the “right to be forgotten” are two new privacy rights granted to individuals under the GDPR. The right of portability affords residents easier access to their own data. Upon request, individuals will be able to transfer all data from one provider of goods or services to another; this provision was created to foster healthy competition and increase accountability among providers. Under the “right to be forgotten” individuals can have their personal data erased upon request in certain circumstances.
Records of data processing
Data controllers and data processors need to demonstrate compliance by keeping records of data processing activities and make these available to the supervisory authority on request. These records need to show what, where, how and why data is processed.
Data protection impact assessments (DPIAs)
A data protection impact assessment is now a prerequisite before processing personal data that is likely to result in a high risk to the rights and freedoms of individuals. An impact assessment evaluates the likelihood and severity of the risks involved in the proposed data processing and assesses the safeguards to be introduced to mitigate the risk.
Data protection by design
“Data protection by design” requires organisations to embed data protection measures – both technical and organisational – throughout the design phase of a new product, system or business process, rather than treating it as an afterthought.
Data protection officer (DPO)
A data protection officer must be appointed if an organisation is a public authority, conducts large-scale systematic monitoring of personal data or processes large quantities of sensitive personal data. The DPO, who must have expert knowledge of data protection law and practices, will be responsible for overseeing the organisation’s compliance with the GDPR.
Data breach notification
The GDPR introduces a specific obligation on organisations to report any data breach to their supervisory authority within 72 hours of becoming aware of it. Where there is a high risk to individuals, those individuals must also be informed without undue delay.
The maximum penalties permitted under the GDPR are meant to attract attention and encourage compliance – regulators are able to impose penalties on organisations for non-compliance of up to 4% of annual global turnover or €20 million, whichever is higher.
Free green paper
The new EU regulation envisages that, over time, regulators and other parties will introduce codes of practice, guidance and compliance schemes to help organisations comply. As these additional tools develop, compliance requirements will become more specific and less open to subjective interpretation.
Our green paper, EU General Data Protection Regulation – A Compliance Guide, provides a more detailed overview of the Regulation, the key areas of change, and the critical areas organisations need to be aware of when preparing for compliance.
Download our free green paper now >>