Insights
Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.
Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.
General Data Protection Regulation passed by European Parliament
The clock is now ticking for data controllers and processors inside and outside the EU to prepare for the new uniform data protection regime.
On 14 April 2016 the European Parliament gave final approval to the General Data Protection Regulation (GDPR), bringing about a process of reform that started with consultations in 2009. The GDPR will have direct effect in all Member States, scheduled to be in Summer 2018, two years and twenty days after the date of its publication in the Official Journal of the EU.
The GDPR will replace the Data Protection Directive (Directive 95/46/EC) and all national implementing laws, including the Data Protection Act 1998 in the UK. The GDPR will result in a uniform data protection regime across all Member States, improving protections for individuals (data subjects) whilst increasing the obligations of organisations which collect and handle personal data themselves (data controllers) or on behalf of others (data processors).
Key provisions include:
- Significantly higher fines: Regulatory fines for certain breaches set at a maximum level of €20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year (Article 83).
- Extraterritorial effect: The GDPR purports to apply to the processing of the data of subjects within the EU (for the purposes of offering goods and services or monitoring behaviour) by controllers or processors not established within the EU (Article 3(2)). Where this applies, the controller or processor is required to designate in writing a representative within the EU (Article 27).
- Direct obligations on data processors:Data processors as well as data controllers will now have direct regulatory obligations and will be subject to fines and other enforcement action for breaches.
- Accountability: There is a new overarching requirement for data controllers to demonstrate that their processing activities comply with the data processing principles set out in the GDPR. In practice this will require more comprehensive record-keeping and other measures. Certain businesses will also need to appoint a data protection officer who satisfies mandated requirements.
- Breach notification requirements:Controllers must, within 72 hours of becoming aware, notify all personal data breaches to the supervisory authority unless it is unlikely to result in a risk to the rights and freedoms of natural persons. Processors must notify controllers of such breaches without undue delay (Article 33). If the breach is likely to result in a highrisk to the rights and freedoms of natural persons, the controller must communicate the personal data breach to the affected data subject without undue delay (Article 34).
- Data protection by design and by default: Controllers must implement appropriate technical and organisational methods, such as pseudonymisation, to meet data protection principles (Article 25).
- Right to erasure:Data subjects may require erasure of personal data for reasons including where it is no longer necessary, consent is withdrawn or it has been unlawfully processed (Article 17).
- Data portability: Data subjects will have the right to receive personal data concerning themselves from controllers in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller (Article 20).
It is not all doom and gloom for data controllers and processors. As well as harmonising the law for companies across all Member States, certain provisions will also make matters simpler:
- One-stop shops for regulation:As a default, controllers or processors with a main or single establishment in one Member State, but processing across borders within the EU, will account to that state’s data protection regulator as lead supervisory authority, instead of regulators for each state concerned (Article 56).
- International data transfers:These will be simplified by making it easier to obtain binding corporate rules (Article 47) and by the development of data protection certification mechanisms and seals (Article 42), which may constitute appropriate safeguards for transferring to third countries or international organisations (Article 46).
WAB Comment
The changes introduced by the GDPR are far-reaching and organisations across the world will need to be aware of their requirements for processing the data of EU data subjects. The increased fines for breach underline that need. The above summary only highlights a few key issues; at 261 pages, the legislation contains much that is either entirely new or marks an evolution of what went before.
The Information Commissioner’s Office in the UK has already suggested 12 practical steps that data processors and controllers should take now to prepare for the GDPR. If you would like to discuss the effect of the reforms on your business, please contact our Data Protection specialists Nick Mathys and Nicholas Mitchell.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.