10 May 2016

European Parliament publishes General Data Protection Regulation

On 4 May 2016 the European Parliament and the European Council published the General Data Protection Regulation (GDPR) in the Official Journal of the European Union. This is the final step of a legislative process spanning over five years.  The GDPR enters into force 20 days after publication and will apply from 25 May 2018.

As we have previously reported during the legislative process, the GDPR, which is in the form of the version agreed in December 2015, introduces significant changes to data protection law.  In particular, much higher penalties for breach, new obligations for data processors, increased accountability, expanded rights for data subjects and an extended territorial scope.

The most important changes are:

  • organisations will need to be more transparent and provide extensive information to individuals about processing their personal data;

  • the conditions for obtaining consent have become stricter;

  • children below the age of 16 cannot consent to processing of their personal data in relation to online services – parental consent is required. Member States may legislate to reduce the age threshold, but not below 13;

  • “sensitive” data now includes genetic and biometric data;

  • a new concept of pseudonymisation is introduced, referring to processing personal data so that it can’t identify the data subject;

  • a requirement to notify significant personal data breaches to data protection authorities within 72 hours;

  • organisations must  adopt measures to protect personal data ‘by design and default’;

  • enhanced rights for individuals, including:

    • a right to be forgotten
    • a right to require their personal data be ported to a new service provider
    • a right to object to decisions taken by automated  processes;

  • the need to carry out privacy impact assessments before high risk processing;

  • a ”lead authority” approach to cross-border processing; and

  • increased administrative fines for data breaches, which can be up to 4 % of group annual worldwide turnover in the preceding financial year.

The GDPR will apply to organisations which are established in the EU, regardless of whether the actual data processing takes place in the EU or not. Further, non-EU established organisations will be subject to the GDPR where they process personal data about EU data subjects in connection with offering them goods or services or monitoring their behavior within the EU.

Over the next two years, the practical implications of the GDPR and how to comply will be the subject of much discussion. Some practical matters for businesses and their lawyers to consider are:

  • how to draft data protection clauses in contracts which last beyond 25 May 2018;

  • how organisations will demonstrate compliance with the GDPR e.g. where appropriate, privacy impact assessments (PIA’s) should be carried out. Guidance on PIA’s can be found at ico.org.uk; and

  • how organisations will ensure consistency in their approach to meeting the changes introduced by the GDPR.

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

A Guide to Doing Business in China

We explore the key issues being considered by clients looking to unlock investment opportunities in the People’s Republic of China.

Doing Business in China
Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    Whilst it was comforting to hear from the UK’s data protection regulator, the Information Commissioner’s Office (ICO)

    30 April 2020

    The Coronavirus Large Business Interruption Loan Scheme (CLBILS) builds upon the UK government’s financial support being extended to UK businesses during the current period of COVID-19...

    30 April 2020

    The European Commission has formally adopted the EU-US Privacy Shield; however will this provide legal certainty for transatlantic data transfers?

    19 July 2016

    European Commission refrains from imposing regulations specifically targeting online platforms, for now. General EU e-commerce rules will however apply.

    20 June 2016

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.