The European Union’s General Data Protection Regulation [Regulation (EU) 2016/679, GDPR] has entered into force a year ago on 24 May 2016 and will become directly applicable one year from now on 25 May 2018. We are thus halfway through the two-year transition period, which makes this a good time to recap how the GDPR will change data protection rights and obligations.
The GDPR replaces the Data Protection Directive (95/46/EC). While the GDPR will apply directly without any transposition into national law, the Directive had to be transposed in each EU member state, which resulted in 28 different data protection laws. The way in which the GDPR will impact data protection thus depends on which jurisdiction you examine. Also, it should be noted that most new rights and obligations are merely a logical continuation of the Data Protection Directive and the ever-tightening stance of courts on data protection. That said, the main changes can be summed up as follows:
1. Unified legislation
One set of rules will apply throughout the EU, though minor changes are still possible through national legislation. The GDPR applies not only to data controllers that have an establishment within the EU but also to data controllers that process the personal data of EU-located data subjects where such processing is related either to the offering of goods or services to EU-located data subjects or to the monitoring of their EU-located behavior. Unified internal documentation requirements (e.g., record of processing activities) replace varying notification and approval procedures with national agencies.
2. Clear consent
Consent must be given in an intelligible and easily accessible format using clear and plain language so that it is clearly distinguishable from other matters. This constitutes a tightening in some jurisdictions (UK) but not in others (Germany) which have already been applying this threshold in the past.
3. Rights of data subjects
Similar rights of the data subjects and the corresponding obligations of the data controllers have been around for a while but have been rendered more precise. Data subjects are entitled to obtain detailed information from the controller to know which data the controller processes; to object to such processing; to obtain such data in a structured, commonly used and machine-readable format; and to have such data rectified and/or erased. When a personal data breach is likely to result in high risk to the rights and freedoms of natural persons, the processor must notify the data subject in clear and plain language without undue delay. (The processor must provide a similar data breach notification to the supervisory authority, too.)
4. Privacy by design and by default
Controllers must implement appropriate technical and organisational measures to ensure that data protection principles are taken into account as early as the development stage of services and products, and that, by default, only the personal data that is necessary for each specific purpose of the processing is actually processed. Measures include minimising the processing of personal data, pseudonymising personal data as soon as possible and transparency with regard to the functions and processing of personal data. Documentation and certifications will be key in this respect.
5. Data protection officer
You must appoint a data protection officer if i) you process personal data as a public authority, ii) your core activities consist of processing operations that require regular and systematic monitoring of data subjects on a large scale, or iii) your core activities consist of processing a large amount of special categories of personal data (e.g., racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership and sexual orientation) or personal data relating to criminal convictions and offences. Again, while this is a new requirement for most states, it is not for others (Germany).
6. Increased control and penalties
The cooperation between national data protection agencies will be increased, including joint operations, and formalized by establishing a European Data Protection Board with the power to issue guidelines. The enforcement of data protection is ensured by draconian penalties of up to 20 million Euros or 4 percent of the worldwide annual turnover, in particular for violations of rights of data subjects.
The above is just a short overview of the main changes the GDPR entails. Certifications, such as ISO27001, will become even more important for documenting compliance with the requirements. Also, businesses set up in jurisdictions that have already mandated the same requirements, such as data protection officers in Germany, will have an advantage. There is still one year to go until the GDPR becomes applicable, but organizations should lose no time preparing. Ignoring the new GDPR requirements is the surest way to incur possibly devastating penalties.
DISCLAIMER – The materials appearing in this article do not constitute legal advice and are provided for general information purposes only.