This January, the European Commission unveiled a draft of new regulation to replace its Data Protection Directive.
The Data Protection Directive is a European Union Directive designed to regulate the processing of personal data within the EU. The legal act is part of EU privacy and human rights law.
The new law, the General Data Protection Regulation (GDPR), is designed to reinforce and unify data protection for those within the EU. It also has implications for exporting personal data outside the EU. It’s important to note that it is a regulation, as opposed to a directive, meaning that it will be directly applicable to all EU member-states. Enforcement comes on the 25th May, 2018 after a two-year transition period. Unlike a directive, it doesn’t require any enabling legislation to be passed by governments.
What are the key changes of GDPR?
Businesses not in the EU will still have to comply with the regulation.
Sorry Brexiteers, but even if you’re not in the EU, you are still obliged to follow the legislation if you do business in the EU with EU data subjects’ personal information. Any organisation providing products or services to EU customers, or processing their data, may face legal consequences if an incident is reported.
A single set of rules
One set of rules will apply to all EU member-states. Each member-state will launch an independent Supervisory Authority (SA) to deal with data protection. Each SA will cooperate with other member-states’ SAs. Businesses with multiple establishments in the EU will now only have to deal with a single supervisory authority, as only one SA will act as their ‘lead authority’.
This SA will function as a one-stop shop to supervise the activities of that business within the EU. A European Data Protection Board will coordinate the SAs. Businesses no longer have to deal with a separate authority for each EU member-state, which will make it simpler to do business within the European Union.
The definition of personal data will be broader
GDPR means that more kinds of data are now EU regulated. The scope of data privacy now includes other factors that could be used to identify an individual, such as their mental, genetic, social, cultural or economic identity. In order to comply, organisations should try to reduce the amount of personally identifiable material they keep, and ensure that no information is stored for longer than required.
Consent will be needed to process childrens’ data
Parental consent will be necessary to process the data of children under the age of 16. EU member-states may lower the age requiring parental consent to 13.
Changes to the rules for obtaining valid consent
The consent document now has to be laid out in simple terms. Consent to processing private data must be clear and affirmative; silence or inactivity cannot be used to imply consent.
Some countries will have to appoint a data protection officer
Article 35 of the GDPR states that data protection officers (DPOs) are mandatory for all public authorities. A DPO must also be appointed where the core activities of the controller or processor include “regular and systematic monitoring of data subjects on a large scale” or where the entity performs large-scale processing of “special categories of personal data”. This obligation doesn’t apply to organisations whose core business processes do not include data processing.
Compulsory privacy risk impact assessments
Data controllers will now be made to conduct privacy impact assessments where breach risks are high to analyse and minimise risk to their data subjects.
New data breach notification requirements
Data controllers will also have to report data breaches to their data protection authority unless the breach isn’t likely to pose a risk to the rights and freedoms of the data subjects. The notice has to be made within 72 hours of data controllers becoming aware of it unless a case can be made for exceptional circumstances.
In high-risk situations, the data subjects must be notified at some point. Regular reviews and audits will be necessary to determine if the supply chain is adequate.
Right to be forgotten
The right to be forgotten is a self-explanatory concept that arose as a result of data subjects who expressed wishes to "determine the development of their life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past."
The GDPR offers protection and exemption for organisations listed as ‘media’ companies such as newspapers and other news organisations. However, Google has deliberately withdrawn from being called a ‘media’ company, and is therefore not protected by the regulation.
EU judges ruled that Google should be classed as a ‘data controller’ as it deals with collecting and processing data. Such data controllers are required to remove data that is considered inadequate or irrelevant. The GDPR contains guidelines on when the right to be forgotten can be exercised.
Data processor responsibilities
Data processors will have legal responsibilities and obligations, and can be held responsible for data breaches. Contractual agreements will have to be updated, and specifying responsibilities and liabilities between the controller and processor will be required in future agreements. Parties will have to record their data responsibilities much more visibly, and the resulting increase of risk levels may affect service costs.
GDPR will allow users to request a copy of personal data in a format usable by them and electronically permissible to another processing system.
Privacy by design
Privacy by design embeds privacy into the design specifications of technologies, business practices and physical infrastructures, as opposed to only taking privacy into account at the point of delivery. GDPR also requires that controllers only collect data necessary to fulfil certain purposes, and disposing of it where they can.
Firms that do business within the EU trade bloc need to start preparing for this dramatic change to European trade. However, with adequate preparation, and if the new legislation works, it may harmonise data protection laws between EU member-state, bringing about the easier operation of commercial practices.