On 4 May 2016 the European Parliament and the European Council published the General Data Protection Regulation (GDPR) in the Official Journal of the European Union. This is the final step of a legislative process spanning over five years. The GDPR enters into force 20 days after publication and will apply from 25 May 2018.
As we have previously reported during the legislative process, the GDPR, which is in the form of the version agreed in December 2015, introduces significant changes to data protection law. In particular, much higher penalties for breach, new obligations for data processors, increased accountability, expanded rights for data subjects and an extended territorial scope.
The most important changes are:
- organisations will need to be more transparent and provide extensive information to individuals about processing their personal data;
- the conditions for obtaining consent have become stricter;
- children below the age of 16 cannot consent to processing of their personal data in relation to online services – parental consent is required. Member States may legislate to reduce the age threshold, but not below 13;
- “sensitive” data now includes genetic and biometric data;
- a new concept of pseudonymisation is introduced, referring to processing personal data so that it can’t identify the data subject;
- a requirement to notify significant personal data breaches to data protection authorities within 72 hours;
- organisations must adopt measures to protect personal data ‘by design and default’;
- enhanced rights for individuals, including:
- a right to be forgotten
- a right to require their personal data be ported to a new service provider
- a right to object to decisions taken by automated processes;
- the need to carry out privacy impact assessments before high risk processing;
- a ”lead authority” approach to cross-border processing; and
- increased administrative fines for data breaches, which can be up to 4 % of group annual worldwide turnover in the preceding financial year.
The GDPR will apply to organisations which are established in the EU, regardless of whether the actual data processing takes place in the EU or not. Further, non-EU established organisations will be subject to the GDPR where they process personal data about EU data subjects in connection with offering them goods or services or monitoring their behavior within the EU.
Over the next two years, the practical implications of the GDPR and how to comply will be the subject of much discussion. Some practical matters for businesses and their lawyers to consider are:
- how to draft data protection clauses in contracts which last beyond 25 May 2018;
- how organisations will demonstrate compliance with the GDPR e.g. where appropriate, privacy impact assessments (PIA’s) should be carried out. Guidance on PIA’s can be found at ico.org.uk; and
- how organisations will ensure consistency in their approach to meeting the changes introduced by the GDPR.