New Data Protection Rules for the Digital Age
The General Data Protection Regulation is the first comprehensive overhaul of data protection legislation in the European Union for more than 20 years. It will repeal and replace the 1995 Data Protection Directive (95/46/EC) and subsequent EU member state implementations of that directive.
As a regulation, the GDPR will be directly applicable in all 28 EU member states. It forms part of a package of reforms that also includes a new Data Protection Directive for the police and criminal justice sector. The regulation is likely to be approved in spring 2016 and will apply two years after entry into force, therefore from spring 2018.
Why Is the GDPR Important?
The EU Charter of Fundamental Rights includes a right to the protection of personal data, for which the GDPR provides new rules. In this context, the GDPR will:
- Apply to all firms offering goods and services within the EU that process the personal data of EU residents, regardless of where they are in the world
- Set out enhanced rights for data subjects and additional obligations for data controllers and processors
- Introduce a new cross-border regulatory regime for the EU, including a one-stop shop and consistency mechanism operated by a new European Data Protection Board
- Revise the rules around international data transfers with recognition of data protection clauses and binding corporate rules, and new restrictions on transfers to third-country authorities
- Establish maximum fines of €20 million or 4% annual global turnover, whichever is highest
Complying with the GDPR
Establishing the grounds for lawful processing
Under the current and future regimes, firms need to be clear on why they can process personal data:
- Where consent is relied upon, it needs to be freely given, informed, specific, and unambiguous — and for special categories of data, consent needs to be explicit
- For children’s data, the age of parental consent may vary between 13 and 16, depending on EU member state rules
- If ‘legitimate interests’ are used as grounds for processing, those interests must not override the interests of the individual, taking into account their reasonable expectations
Managing enhanced rights for individuals
Individuals will have a number of new and enhanced rights under the GDPR, and firms will need to put in place technical and organizational measures to meet new requirements. These rights include:
- Right of access: information to be provided to the individual free of charge and within one month of request.
- Right to data portability: a new right which allows the individual to obtain their personal data in a structured, commonly used, and machine-readable format.
- Right to erasure (“right to be forgotten”): an enhanced right for the individual to request the erasure of their data without undue delay
- Right to object: the individual will be able to object to the processing of their data unless the controller can demonstrate compelling, legitimate grounds for processing
- Right not be subject to measures based on automated processing: this right applies where automated processing — including profiling — has a significant effect on the individual, for example by preventing them from accessing credit
Meeting additional obligations for businesses
Firms will be subject to new or more stringent obligations under the GDPR with certain obligations also applying to data processors. Key obligations include:
- Implementing data protection by design and data protection by default, and implementing measures to ensure a level of security appropriate to the risk to individuals
- Notifying the supervisory authority of a data breach within 72 hours, where feasible
- Undertaking data protection impact assessments where the processing is likely to result in a high risk to individuals
- Designating a data protection officer who will report to the highest management level, monitor compliance with the GDPR, cooperate with the supervisory authority, and act as a contact for data subjects
Preparing for the GDPR
Promontory recommends that businesses start planning for the GDPR at the earliest opportunity. See Promontory’s EU General Data Protection Regulation: What To Do, When To Do It for further details.
Promontory assists companies throughout the full life cycle of building, managing, and sustaining privacy and data protection governance programs. For more information about how we can help your organization enhance its GDPR practices, please contact a senior member of our privacy and data protection team:
Senior Principal, London
+44 207 997 3417
+44 207 997 3407
Director, San Francisco
+1 415 291 2679
Managing Director, London
+44 207 997 3456
Director, San Francisco
+1 415 291 2671