FREE GDPR Helpline
Call +44 (0) 208 133 2545
The General Data Protection Regulation (GDPR) was adopted by the EU in April 2016 and will replace the current EU Data Protection Directive 95/46/EC. The GDPR introduces new obligations to data processors and data controllers, including those based outside the EU. Given that infringement can lead to fines of up to 4% of annual worldwide turnover or €20 million, it is important for companies to assess how the GDPR will affect them and prioritise preparations to comply by May 2018.
The GDPR will bring harmonisation across the EU regarding data privacy. The extraterritorial effect of the GDPR means its scope will apply to non-EU data controllers and processors monitoring the behaviour of or offering goods or services to individuals located in the EU. The Regulation will affect many industries, particularly financial services where firms tend to hold large volumes of personal data.
There are many aspects to be considered to ensure full compliance. For example, there will be requirements for explicit consent to be freely given by individuals for their data to be used for specific purposes, as well as the right for individuals to request details of information held and for data to be deleted. Some organisations will need to carry out assessments, ensure effective procedures are in place and designate a Data Protection Officer to meet new accountability requirements. These, and other aspects, will be reviewed in further detail throughout the site.
The General Data Protection Regulation (GDPR) will be replacing the current EU Data Protection Directive 95/46/EC following agreement of the new framework by the European Commission, the Parliament and the Council. The Regulation will apply to all EU Member States and is expected to come into force in May 2018. The GDPR brings harmonisation by applying the same set of Data Protection rules across the EU.
The GDPR will apply to data controllers (who own the customer relationship) and data processors (who handle data on the controller’s behalf) for data relating to EU citizens across all industries. The new Regulation will affect organisations within the EU, as well as those located elsewhere with operations within the EU or any EU citizens as customers.
As the GDPR introduces a number of obligations, it is important for firms to be aware of the new requirements and be prepared for when it comes into force. The potential fines for infringement are substantial, up to 4% of annual global turnover or €20 million.
Firms will be required to confirm explicit and unambiguous consent from customers, based on specific purposes for use of their data and for specific periods of time. Individuals will have the right to request a copy of all data that is held on them, including an explanation of how such data is used and if third parties have access. Individuals may request for their data profile to be passed to another data processor, allowing data portability. Individuals will also have the right to withdraw consent and to request for data that is no longer needed to be deleted. Compensation can be claimed for any damage suffered by individuals caused by infringement of the GDPR.
Controllers and processors must consider appropriate security measures such as encryption, ongoing confidentiality of data and evaluating the effectiveness of the measures in place. A new concept of ‘pseudonymization’ will be introduced for security. This refers to the processing of customer data in a way that the individual cannot be identified without more data.
Notifications of data breaches that are likely to result in a risk for the rights and freedoms of individuals should be sent to the DPA within 72 hours. In some cases, notification will also need to be sent to the individuals concerned.
International data transfer rules from the Data Protection Directive are maintained in the GDPR. Personal data can only be transferred outside of the EU to recipients in countries that are considered as having ‘adequate protection’. The Commission will issue lists of non-adequate third countries. Personal data may proceed to be transferred to these countries on the basis of data transfer agreements.
Data controllers will have accountability obligations, such as needing to maintain certain documentation, carrying out a data protection impact assessment and ensuring effective procedures are in place to handle relevant risks under a risk-based approach. Controllers must be able to demonstrate their compliance with the GDPR.
Companies that monitor data on a large scale or process sensitive data as a core activity, as well as all public authorities, will need to designate a Data Protection Officer (DPO). It is possible to appoint a single DPO for a group of undertakings.
There will be a ‘one-stop shop’ system for companies that are established in multiple EU Member States, allowing one Data Protection Authority (DPA) to take the lead and cooperate with other DPAs. An independent European Data Protection Board will be established, who will issue guidance for compliance with the GDPR and report to the Commission.
Many firms already have data protection policies and procedures in place. It would be beneficial for firms to review these and consider implementing GDPR requirements in advance and ensure systems will be able to handle client requests like data deletion.