General Data Protection Regulation Approved

After nearly four years of consolidated revision of the European Union’s data protection rules, the European Parliament has approved the General Data Protection Regulation and it has been published in the Official Journal. Organisations whether in their capacity as data controllers or data processors have 2 years to prepare as the GDPR will apply from 25 May 2018.

The General Data Protection Regulation (GDPR) will replace Directive 95/46/EC (Data Protection Directive) on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

The GDPR aims to harmonise data protection procedures and to reinforce implementation across the European Union (EU). It is anticipated that the GDPR’s new provisions will have a marked influence on data controllers and data processors who are active within the EU. This also includes those who are located outside of the EU but who monitor the behaviour of EU consumers, or offer them goods or services online.

Key changes contained in the GDPR include:

  • Harmonisation – a single legal framework that is directly applicable in all member states two years after coming into force, allowing businesses and organisations sufficient time to prepare for its implementation;
  • Enhanced rights for individuals – individuals will be provided with easier access to their personal data, enabling them to receive better information about what happens to their personal data once it is shared. This includes a “right to be forgotten” where individuals can have their personal data deleted when the data controller has no legitimate grounds for retaining it, a right of data portability for individuals to transfer their personal data to another service provider and a right to object to profiling. It also makes specific provision for young people under the age of 16;
  • Data processors – it introduces direct compliance obligations on data processors and they may be liable to pay fines for non-compliance;
  • Data protection by design and default – data controllers are required to take data protection laws into account when designing a new product or service. An approved certification may be used as an element to demonstrate compliance;
  • Privacy impact assessments – PIAs will be obligatory in some circumstances, for example, where processing of special categories of data or data relating to criminal offences takes place on a large scale, where a systematic monitoring of publicly accessible areas takes place on a large scale, or where a systematic and extensive evaluation of the personal aspects of individuals based on automated processing (including profiling) takes place;
  • Data breaches – where a data security breach occurs, data controllers must notify the national data protection authority with immediate effect and no later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk for an individual’s rights and freedoms. If the notification is made later, a “reasoned justification” must submitted;
  • One stop shop – the national data protection authority of the main establishment or the single establishment of a business as the data controller or data processor can act as lead authority. The process lends itself to a single decision being made which will apply to all within the EU if and when disputes arise. This will benefit multi-nationals who are active in various member states, by allowing them to deal with a single national data protection authority as its lead authority;
  • Data protection officers – data controllers must at times appoint a data protection officer, for example when the processing is carried out by a public authority, or the core activities involve monitoring individuals or processing special categories of data on a large scale. The data protection officer is required to possess expert knowledge of data protection law and practice;
  • Accountability – organisations will now have increased responsibilities to maintain detailed records to show data protection compliance, rather than submitting an annual registration to the national data protection authority;
  • International data transfers – the existing binding corporate rules for data controllers and data processors will continue with new provisions for sub-processors; and
  • Strengthened enforcement – maximum fines will be increased and national data protection authorities will impose fines on a two-tier basis: up to 2% of annual worldwide turnover of the preceding financial year or 10 million Euro (whichever is the greater) for violations relating to internal record keeping, data processor contracts, data protection officers and data protection by design and default, and up to 4% of annual worldwide turnover of the preceding financial year or 20 million Euro (whichever is the greater) for violations relating to breaches of the data protection principles, conditions for consent, data subjects rights and international data transfers.

A number of the changes that have been approved are significant because they impose further obligations on businesses and organisations. This may mean that businesses need to review their processes and procedures to ensure that necessary amendments are made and their way of doing business is compliant with data protection law.

The outcome of the upcoming referendum on UK’s membership of the EU may have an impact on whether businesses and organisations in the UK have to comply with all the changes brought in by the GDPR.

At present the data protection regime is established through an Act of Parliament – the Data Protection Act 1998 and so even if the outcome of the referendum is to leave the EU, the current regime is set to continue meaning that business and organisations will continue to have data protection obligations. In the event of Brexit, the Government may assess that it is necessary to make amendments to the current regime so that UK law catches up with technological developments in this area as is the case with the GDPR. Any businesses operating in the EU would be required to comply with the GDPR. The ICO is urging businesses and organisations to begin preparation and not wait for the outcome of the referendum.

Businesses and organisations could take a number of steps to prepare for these changes. This may include reviewing policies and procedures within their organisation to ensure that best practice is incorporated, reviewing training that is offered to staff, as well as procedures to deal with data breaches. In the run up to May 2018 irrespective of the outcome of the referendum it is likely that the Data Protection Act as it is will change to either catch up with the GDPR or catch up with technology and in this timeframe further guidance will be provided.

Forbes Solicitors regularly advise a range of clients on data protection law and practice. This includes advice on policies, procedures, training, subject access rights and enforcement action for businesses, housing associations, charities and public authorities. To assist your organisation with compliance of the Data Protection Act and prepare for the GDPR our team is able to offer a Data Protection Audit on a fixed fee basis. If you would like more information please contact Daniel Milnes.

Nat Avdiu

About Nat Avdiu

Nat Avdiu is a Paralegal in the Contracts and Projects team at Forbes Solicitors. Nat provides updates for clients on a range of issues including: governance, data protection and freedom of information, procurement and charity law.
This entry was posted in Corporate & Restructuring, Dispute Resolution, Employment Law, Financial Services, GDPR, Housing Litigation, Sports Law and tagged , , , , , , , , , , .