Cathrine Ripley summarises the key changes to be introduced by the new general data protection regulation.
Since the data protection directive was introduced in 1995 there have been significant advances in information technology. To address these changes, a framework has been agreed to replace the 1995 directive – the general data protection regulation (GDPR) which is expected to come in to force in 2018.
Although it is still early days, what do you need to know and how will the changes impact on your business?
Scope of GDPR
A business, with or without a physical presence in the EU, will be within the scope of the GDPR if it offers goods or services to EU data subjects or monitors the behaviour of EU data subjects. Personal data for the purposes of the GDPR will now include biometric and genetic data where processed to uniquely identify a person.
Implications for businesses
Businesses that process data will have more obligations placed upon them. In particular, the obligations will be more stringent if the processing is frequent or the data is sensitive.
- Businesses that require the consent of a data subject to process data lawfully will require such consent to be freely given, specific, informed and unambiguous. For sensitive data consent must now be explicit.
- Business will bear the responsibility for assessing the degree of risk that processing poses to data subjects. However, low-risk processing will lead to fewer compliance obligations for companies.
- The GDPR will require businesses to record, in detail, any processing activities. For larger companies, the appointment of a data protection officer will be a mandatory requirement.
- Where there has been a breach of a data subject’s privacy, the data controller will be required to notify the Data Protection Authority (DPA) within 24 hours.
- Using a simplified approval process the DPA will be able to formally recognise binding corporate rules.
- Businesses that operate in multiple EU member states will now be able to deal with just one DPA acting as a lead authority.
Rights for data subjects
The new rights for data subjects will include the right to be forgotten, data portability rights and the right to object to automated decision making.
Enforcement of GDPR
To promote enforcement of the GDPR, the discretionary fines given to both data controllers and data processors found in breach of it will be increased significantly.
Certain administrative fines will be up to €20,000,000 or, 4% of global turnover, whichever is the higher.