The new General Data Protection Regulation (GDPR) has passed the finish line. Following formal adoption by the Council of the European Union on 8 April 2016, the European Parliament finalised the legislative process on 14 April 2016 by voting in favour of adopting the GDPR in a plenary session. The new rules are expected to be directly applicable in each EU Member State as of spring 2018.
The GDPR’s aim is to update and modernise the existing data protection rules. The most important changes to the current EU Data Protection Directive, include amongst others:
- a risk-based approach to compliance with data protection obligations, with companies having to implement measures reflecting the risks involved in their data processing operations
- a “one-stop-shop” mechanism for companies and individuals in dealing with national data protection authorities, which means, for instance, that a company active in several member states will in principle only have to deal with a supervisory authority in the member state of its main establishment
- data protection obligations becoming applicable to both controllers and processors
- more control for individuals over their personal data, including a new right to data portability
- expanded requirements to notify individuals about data processing operations in easily accessible and easy to understand form, in clear and plain language
- introduction of data protection by design and by default
- new obligations to maintain a detailed record of processing activities and perform data protection impact assessments
- mandatory appointment of a data protection officer for organisations that process data requiring systematic monitoring of individuals on a large scale or process special categories of personal data
- mandatory notification of data breaches within 72 hours after the breach was discovered
- changes to international data transfer rules, including binding corporate rules
- fines in case of infringement of up to 20 million euro or 4% of annual global turnover
- a greater role for codes of conduct, establishment of certification mechanisms and data protection seals and marks
On 6 April 2016, the Council released the new text of the GDPR. This updated version does not generally contain any substantial changes compared to previously published texts.
We recommend that companies carefully study the final text of the GDPR and start reviewing their overall data protection compliance. It is important to complete the revision of internal processes, ranging from the collection of personal data to the retention and destruction of data, and to have solid policies and practices in place by spring 2018. These policies and practices should include assessment of risks related to data processing, data security and adequately responding to data breaches, mechanisms for compliant data transfers to third parties, including transfers outside the EEA, compliant privacy policies and notices to individuals, technical measures for implementation of data portability rights, and handling individual’s complaints and data requests. Although the arrival of the new regulation has been expected for over four years, there is still a lot of work to do for most companies that have operations in or directed at Europe.