Key changes introduced under the GDPR
While the GDPR marks the most significant change to data protection law in recent years, it does not fundamentally change any of the core tenets of the 1995 DPD (Data Protection Directive). Rather, it expands the Directive’s requirements by imposing a range of new obligations on organisations to support those core tenets.
Scope of the GDPR
The Regulation was implemented on 25 May 2018 with direct effect in all EU member states, without the need for further national legislation. Nevertheless, given that member states have limited rights to amend some of the obligations under the GDPR, some national divergences will still remain.
The GDPR simplifies the administrative burden for organisations established in multiple EU countries by allowing them to nominate a single national data protection authority to act as the lead regulator for that organisation’s data protection issues in the EU.
Expanded territorial reach
The GDPR has extensive territorial reach. It applies to all organisations (both private and public bodies) that collect, store or otherwise process the personal data of EU individuals (irrespective of their nationality or residence). It also applies to organisations based outside the EU that monitor or offer goods and services to individuals in the EU.
Data processors now included
Data processors – service providers that process personal data on behalf of organisations – are also explicitly required to comply with the laws on data protection and can be held jointly liable for failure to do so. This includes the requirement to maintain adequate documentation, appropriate security standards and DPIAs (data protection impact assessments) and rules on international data transfers.
More rights for individuals
Sensitive personal data
Tighter restrictions are imposed on the processing of sensitive personal data, the definition of which has been expanded to capture 21st-century technological advancements. Sensitive data (known as ‘special category data’ under the Regulation) now includes genetic and biometric data (e.g. fingerprints and retina scans), unique online identifiers (including IP addresses) and geolocation data about an individual.
The rules around consent are now much stricter. Consent must be given freely by the data subject and for the purposes specified, and the consent must not be tacit. This means organisations must ensure that their consent forms are laid out in clear and simple terms, outlining the purposes of the data processing and any onward transfers to third parties.
Consent from a minor (under 16) for online services is only valid if authorised by a parent or legal guardian.
Individuals’ data rights
The GDPR accords two new rights to individuals. These are:
- The right of portability – enables individuals to request the transfer of all their data from one provider of goods or services to another, in a structured, commonly used and machine-readable format; and
- The right to be forgotten – enables individuals to request erasure of their data in certain circumstances.
Records of data processing
Data controllers and processors must maintain records of their data processing activities showing what, where, how and why data is processed. These must be made available to the supervisory authority on request.
The Belgian Data Protection Authority (Gegevens-beschermingsautoriteit) has provided a data inventory template for organisations processing personal data, which can be accessed here.
Data protection impact assessments (DPIAs)
Organisations wishing to conduct high-risk processing (e.g. storing large amounts of sensitive data or regularly transferring data outside the EEA (European Economic Area) must first complete a DPIA. A DPIA evaluates the likelihood and severity of the risks involved in the proposed data processing, as well as assessing the effectiveness of the safeguards introduced to mitigate the risk.
Data protection by design
The requirement of ‘data protection by design’ means that organisations must embed data protection measures throughout the design phase of new products, systems or business processes so that privacy is wholly integrated with the project at hand. Organisations can no longer treat data protection as a minimum compliance exercise; you must ensure the whole organisation adopts a culture of privacy.
Data protection officer (DPO)
Public authorities and organisations conducting large-scale systematic monitoring of personal data or processing large quantities of sensitive personal data must appoint a DPO (data protection officer). Responsible for overseeing your organisation’s compliance, the DPO must have expert knowledge of data protection laws and practices.
Data breach notification
Reporting data breaches to the regulator is now a mandatory requirement for all organisations. Breaches must be reported within 72 hours of the organisation becoming aware of the breach. If the breach is likely to pose a high risk to individuals, those individuals must also be informed without undue delay.
The maximum penalty of 4% of annual global turnover, or €20 million, permitted by the GDPR is designed to persuade organisations to take GDPR compliance seriously.
Free green paper
Over time, regulators and other parties will introduce codes of practice, guidance and compliance schemes to help organisations fulfil their obligations under the GDPR. As these additional tools develop, compliance requirements will become more specific and less open to subjective interpretation.
Our green paper, EU General Data Protection Regulation – A Compliance Guide, provides a more detailed overview of the Regulation, the key areas of change, and the critical areas organisations need to be aware of when preparing for compliance.
Download our free green paper now >>
Speak to a GDPR advisor
Please contact our GDPR team for advice and guidance on our products and services.