The European Union (“EU”) has produced the draft General Data Protection Regulation (“GDPR”) which is aimed at modernising the existing data protection legislation, which was introduced in 1995, largely to keep pace with the fast moving and developing information technology systems which allow individuals and organisations to communicate and share information.
Whilst the GDPR remains under negotiation it will undoubtedly change the landscape of data protection law in various areas. It is envisaged that the text of the GDPR will be finalised towards the end of 2015 or first quarter of 2016.
Whilst many of the traditional concepts of data protection law will remain the same, such as the cornerstones of personal data, data controllers and data processors, there will be significant changes. The headline changes which we expect to see in the GDPR are as follows:
(i) Greater harmonisation via the introduction of a single legal framework which will apply across all EU member states. Whilst this change looks to be positive once the GDPR is finalised businesses will need to ensure that they plan ahead and implement the changes to comply with the GDPR;
(ii) Expanded territorial scope to non-EU businesses which will be subject to the GDPR if they a) offer goods or services to EU data subjects; or b) monitor EU data subjects behaviour. Businesses which are located outside the EU and who at present are not subject to data protection laws will need to consider whether they will be subject to the GDPR and will need to review compliance obligations;
(iii) Increased enforcement powers will be given. In the UK the current maximum fine is £500,000 but this will be increased when the GDPR is implemented. The current proposal from the Commission supported by the Council is a maximum fine of up to 1 million euros, or 2% of annual worldwide turnover, whichever is greater. Parliament’s proposal is to increase the minimum fine to 100 million euros, or 5% of annual worldwide turnover, whichever is greater. The increase to maximum penalties will therefore move non-compliance of data protection law to high risk and businesses will need to be vigilant on compliance and evidencing the same;
(iv) Consent as a legal basis for processing, will be harder to obtain. The GDPR will adopt a uniform approach, the proposal being that consent must be freely given, specific, informed and explicit, and demonstrated either by a statement or a clear affirmative action. The current parameters of ordinary and explicit consent will be removed. Businesses will have to ensure that they are not relying on implied consent so for example failing to un-tick a pre-ticked box will be insufficient to comply, it will be necessary for the individual to instead positively tick a blank box to give explicit consent;
(v) The risk-based approach to compliance will be adopted. The proposals are that businesses would be responsible for assessing the degree of risk that their processing activities pose to data subjects. There is, however, a proposal for an increase in the scope of exemptions available to data controllers and for limits to the rights of data subjects to restrict processing. Once the final text of the GDPR is published businesses will need to review this change;
(vi) The “one-stop shop”. Under the GDPR businesses will be able to deal with a single data protection authority across the EU. It is unclear how this will work in practice. For businesses which operate in a single EU state and simply process the personal data of data subjects within that EU state the process will be similar to the present arrangements. For businesses operating in more than one EU state, a substantial change will take effect;
(vii) Privacy by design and default. The implementation of data protection by design (ie when creating new products, services or other data protection activities) and by default (ie data minimisation) will be required for businesses. Data protection impact assessments and the identification of privacy risks will also be required. The design and default principle will be likely to affect businesses which are data processors as well as those who are data controllers. Businesses will need to give consideration to the design principal in relation to new technology, products or services which involve processing data and to conduct the relevant impact assessments;
(viii) Registrations. Rather than registering with the data protection authority, businesses will be required to maintain detailed documentation in relation to their processing activities. All data controllers or data processors who employ 250 persons or more will be required to appoint a data protection officer – EU states will decide whether or not this will be a mandatory requirement. Businesses should be reviewing their existing compliance programmes and amending them to comply with the GDPR, ensuring that they have clear records of all of the data processing activities, which can be produced if required and appoint a data protection officer;
(ix) New obligations for data processors. Direct compliance obligations will be introduced for data processors. Similar fines to those imposed on data controllers will be introduced for data processors. Businesses will therefore need to be vigilant to have clear paper trails as increased obligations and penalties are likely to result in the cost of data processing services. Negotiating data processing agreements may become more difficult and some processors will wish to review their existing data processing agreements to ensure compliance with the GDPR. Data controllers will also need to identify their data processors and review and amend data processing agreements to comply with the GDPR;
(x) Strict data breach notification rules will be implemented. All data breaches must be notified without undue delay and in any event within 24 hours. Businesses will need to put in place a data breach plan identifying specific roles and responsibilities, training for employees and template notifications. This will likely mean a significant administrative burden with an associated increase in costs for businesses;
(xi) Pseudonymisation data will be introduced being key-coded or enhanced data. It will remain as personal data but may be subject to fewer restrictions if the risk of harm is low. This will create more technical and organisational security measures; (
xii) Binding corporate rules, are agreements which lawfully transfer personal data outside the European Economic Area, will formally be recognised. The data processing authority’s approval will be required but should be less onerous than the present system;
(xiii) Individuals will have the “right to be forgotten” by requesting businesses to delete their personal data in certain circumstances (ie where the data are no longer necessary for the purpose for which they were collected). This will expand further the rights of data subjects and impact on businesses which will have to devote additional time and resources to comply with which will likely create increased cost. How data will be deleted will need to be considered and introduced in a policy; (
xiv) Individuals will have the right not to be subject to profiling that significantly affects them. Profiling includes most forms of online tracking and behavioural advertising and businesses will need to review their profiling activities. Some businesses may eradicate profiling if it is not central to the business whereas for those for whom it is central, consideration will need to be given as to how to implement appropriate consent mechanisms; and
(xv) Data subjects would have a new right to obtain a copy of their personal data from the data controller in a commonly used format. Businesses will need to review the final format of the GDPR and consider how to give effect to these rights.
There will be no requirement for national implementation and the GDPR, when implemented by the EU, will simply be applicable across the EU. The GDPR is expected to require businesses to make significant changes to their data protection procedures including redesigning systems, renegotiating contracts with data processors and restructuring cross-boarder transfer agreements. Planning ahead will be helpful to avoid the pitfalls of failing to comply once the GDPR is implemented.
If you would like further advice and assistance please click here to contact Valerie Lambert.