The European Union General Data Protection Regulation (GDPR or Regulation) provides the new regulatory framework for privacy and data protection in the EU and ushers in ambitious changes. It comes into effect on May 25, 2018 and replaces the 22-year-old Data Protection Directive. The Regulation modernizes, and strives to harmonize, the approach to privacy and data protection across the EU and applies automatically to all EU member states. The GDPR has a broader material and territorial scope than its predecessor and imposes massive fines for non-compliance. Below is an overview of the underpinnings of the GDPR. Each topic is addressed individually in greater detail here.
Scope
The GDPR applies to companies (1) established in the EU and to companies, regardless of where they are located, that (2) process personal data of individuals in the EU in connection with offering goods or services (even free) or that (3) monitor (track) behavior in the EU.
Parts of the GDPR apply directly to data processors who are subject to compliance requirements and sanctions for non-compliance Harmonization
Despite its effort to streamline data protection law across the EU, the GDPR still leaves room for Member States to introduce their own requirements in certain instances and this, together with the complex “one stop shop” provisions and some vague wording, leave questions about how the GDPR should be put into practice.
Penalties
The GDPR significantly raises the stakes for compliance by allowing fines of up to 4% of annual global turnover or €20 million (whichever is higher).
Principles
The data protection principles are revised but are broadly similar to the principles set out in the old Directive: fairness, lawfulness and transparency; purpose limitation; data minimization; data quality; security, integrity and confidentiality. But some new principles are codified in the GDPR such as:
Privacy and data protection by design and default is required. This means that both in the planning and the implementation phase of any processing activities or new product or service, Data Protection Principles and appropriate safeguards must be addressed and implemented.
Accountability, in the form of documentation of compliance with GDPR requirements, is mandated.
Individual Rights
The GDPR gives new rights to data subjects such as the right to data portability, the right to be forgotten and requires controllers to notify of third parties when a data subject exercises these rights. It also continues the right to object to processing, to access and rectification.
Consent
The requirements for obtaining consent are tightened to require a statement or a clear affirmative action, specific to the processing, that is informed and freely given. Silence, and pre-ticked boxes are not sufficient. Companies must respect data subjects’ right to withdraw consent.
Consent and Children
The GDPR requires parental consent for minors under 16 years old. This is a change from the previous threshold of under 13. Member states will be allowed to lower this requirement.
Breach Notification
The Regulation requires controllers to report a data breaches to the DPAs without undue delay and within 72 hours of becoming aware of the breach. In some instances, controllers must report breaches to data subjects. It also requires that processors notify controllers of a breach without undue delay.
Impact Assessments
The GDPR imposes a new obligation on data controllers and data processors to conduct an impact assessment (also known as a privacy impact assessment, or PIA) before undertaking any processing that presents a specific privacy risk by virtue of its nature, scope or purposes.
Data Protection Officer
Appointment of a data protection officer (DPO) is obligatory under the GDPR for controllers and processors whose core activities consist of processing:
(1) which requires regular and systematic monitoring of data subjects on a large scale; or
(2) special categories of data on a large scale.
Cross Border Transfers
Transfer of personal data to recipients outside the EEA is generally prohibited by the Regulation unless:
- the jurisdiction in which the recipient is located is deemed to provide an adequate level of data protection;
- the data exporter puts in place appropriate safeguards; or
- a derogation or exemption applies.
Regulators
European Data Protection Board was created as a super-regulator to ensure uniform approach to interpretation, enforcement and fines throughout EU. It will include the head of each national Data Protection Authority (DPA) and the European Data Protection Supervisor. This structure is essentially the Article 29 Working Party, which has already offered ample commentary on the Regulation.
The national Data Protection Authorities will also become forceful bodies under the GDPR as they have considerable political independence and both investigatory powers and corrective powers.
In the spirit of the “one-stop-shop” approach, companies engaging in cross boarder transfers may be under the primary supervision of a single DPA called a “lead authority” based on a company’s main establishment in the EU.
Access full text of the Regulation here.
Disclaimer: The information provided by the Insights Association is for informational purposes only and not for the purpose of providing legal advice. Please contact your attorney to obtain advice on specific issues or questions.