First proposed in January 2012, agreement has finally been reached between the European Commission, the European Parliament and the Council (the so-called ‘trilogue’) regarding a new General Data Protection Regulation (GDPR).
Current data protection rules are based on the 1995 Data Protection Directive, which predates mainstream internet, social media, big data, the cloud and other advances in technology which shape the way business operates today. It’s a classic case of legislation not keeping pace with technological development; its overhaul is well overdue.
A key benefit of the GDPR will be a single harmonised data protection law covering the whole of the EU. At present, each EU state has implemented its own version of the 1995 Directive and differences can apply in different member states.
The main highlights are summarized as follows:
A stricter regulatory environment
Reflecting ever increasing concerns about how personal data is used in the digital economy, and the continuous flow of news reports about data security breaches, the GDPR imposes a much higher burden of compliance on business. Specific points include:
- Fines – the maximum fine for breach of the GDPR is to be set at 4 per cent. of a company’s worldwide turnover. Currently the maximum fine under the DPA is £500,000. This alone should be enough to put the GDPR onto every Board’s agenda.
- Easier access to data: individuals will have (and businesses will be required to provide) more information on how their data is processed and this information should be available in a clear and understandable way.
- Consent – a new more expansive and specific definition of consent requires that it must be a “freely given, specific, informed and unambiguous indication of his or her wishes” by which the data subject, either “by a statement or by a clear affirmative action”, signifies agreement to personal data relating to them being processed.
- Additional administrative burden – businesses must keep a record of any data processing activities under their responsibility (referred to as documentation) and must carry out data protection impact assessments (DPIAs) if they are processing date using new technologies and this is likely to result in a high risk to personal data.
- Rules for innovation – the regulation requires that data protection safeguards are built into products and services from the earliest stage of development (privacy by design). Privacy-friendly techniques such as pseudonymisation are encouraged by the GDPR, to allow the benefit of big data innovation while protecting privacy.
- Data protection officers – companies will be required to appoint data protection officers if they process sensitive data or collect information from consumers on a large scale. This will be an additional cost to many companies, although there is an exemption applicable to SMEs – see below.
- Data processors – the GDPR treats data processors as data controller if they process personal data otherwise than in accordance with the data controller’s instructions and subjects data to processors fines for breaches of the GDPR; under current rules, in general, only the data controller is responsible for compliance.
- Data breach notification – companies and organisations must notify the national supervisory authority (that’s the ICO in the UK) of serious data breaches as soon as possible so that users can take appropriate measures.
As well as the above, the new rules strengthen existing rights to include:
- a right to data portability – the GDPR will make it easier for consumers to transfer personal data between service providers such as social network platforms and SaaS service providers;
- right to be forgotten– EU citizens will have a stronger right to require that their data is deleted provided that there are no legitimate grounds for retaining it, which may require a business to rethink its current policy on data retention and deletion.
- Impact on non-EU businesses – the new rules will apply to companies who do not have a physical presence in the EU but offer services in the EU and collect data about EU data subjects. This will, for example, affect many US companies that provide services into the EU.
- International data transfers – the position regarding transfers of data outside of the EU is unsatisfactory, highlighted by the recent invalidation of the Safe Harbor framework in respect of transfers to the US. However, it seems that the position under the GDPR will be largely unchanged from the current position.
- One continent, one law – The GDPR will establish one single set of rules for the whole of the EU which will make it simpler and cheaper for companies to do business in the EU.
- One-stop-shop – businesses will only have to deal with one single supervisory authority.
Exemptions for SMEs
Under the new rules, SMEs benefit from certain exemptions to reduce the burden of compliance:
- No more notifications: the requirement to notify to / register with the ICO is to be scrapped.
- Subject access: Where requests to access data are manifestly unfounded or excessive, SMEs will be able to charge a fee for providing access.
- Data Protection Officers: SMEs are exempt from the obligation to appoint a data protection officer insofar as data processing is not their core business activity.
- Impact Assessments: SMEs will have no obligation to carry out an impact assessment unless there is a high risk.
Before the GDPR becomes law, the final text must be formally adopted by the European Parliament and Council, which is set to happen at the beginning of 2016.
The new rules will then become applicable across the EU two years thereafter.