The current EU data protection regime is based on the Data Protection Directive (95/46/EC), introduced over 20 years ago. Since then, there have been significant advances in the way in which individuals and businesses share information and keep information secure, meaning that the current legislation is largely out-of-date.
The EU’s legislative bodies have prepared a draft update to the data protection law, the General Data Protection Regulation (GDPR). The European Parliament and the Council of the European Union have reached an informal agreement on the GDPR and this is due to be formally adopted in the early half of 2016. It is likely that these changes will take effect some time in 2018.
Importantly, the GDPR introduces new potential penalties for non-compliance – in future, a failure to comply could result in a fine of up to 100 million euros, or 2-5% of annual turnover (whichever is greater).
Whilst 2018 sounds like a long time in the future, in reality businesses should start planning now to make sure they are able to comply with the new rules and avoid the possible consequences of failure to do so.
Whilst many of the existing core concepts will remain the same, we have set out a summary of 8 practical steps you can be taking now to prepare for the changes:
- Prepare for data security breaches – ensure that you have clear data protection policies in place that are aligned with the GDPR. For example, it is likely that the GDPR will require businesses to notify the Data Protection Authority of any data breaches ‘without undue delay’, where the breach has the potential for serious harm. You should react quickly to any data breach and notify where required.
- Establish a framework for accountability – create a practice of monitoring and assessing your data processing procedures. You should also address the issue of keeping information simply because a policy has not been set up to dispose of it, when that information is no longer needed. You should also review your policies and check that your staff are trained to understand and carry out their obligations.
- Privacy by design – take data protection requirements into account from the inception of any new technology, product or service that involves the processing of personal data. You should also conduct data protection impact assessments to identify privacy risks in new products. These practices should be considered early in the process of any new product or service.
- Analyse the legal basis on which you use personal data – In terms of any consent required for the processing and storage of personal data, you should note that consent must be freely given, specific, informed and ‘explicit’. If the requirement for explicit consent is adopted in the GDPR and in the event that you rely on consent, you will need to carefully review your policies and practices to ensure that any consent you obtain is explicit.
- Check your privacy notices and policies – you should review your existing privacy notices and policies and ensure that these notices and policies are updated to comply with GDPR. A requirement of GDPR is that your policies are clear, transparent and easily accessible.
- The rights of data subjects – ensure that you understand the rights of data subjects. For example, data subjects have the right to request that businesses delete their personal data in certain circumstances. You will need to devote additional time and resources to ensuring that these issues are appropriately addressed. Deletion of personal data is not always straight forward and you should give some consideration to this. The burden of proof to demonstrate that your grounds to override the interests of the data subjects lies with you.
- New obligations of data processors – if you are a supplier to others, consider whether you have new obligations as a processor. The GDPR introduces direct compliance obligations for processors and fines of up to 100 million euros, or 2-5% of annual turnover (whichever is greater) have also been introduced. You should review your existing data processing agreements to ensure that you have met your compliance obligations under the GDPR. It is also worth documenting your responsibilities when obtaining data processing services from a third party.
- Cross-border data transfers – ensure that you have a legitimate basis for transferring personal data to jurisdictions that are not recognised as having satisfactory data protection regulation. You should ensure that your agreements are aligned with the GDPR as the changes may require you to restructure cross-border data transfer arrangements. These changes will require a significant amount of time to implement, so you should plan ahead.
The GDPR will be directly applicable across the EU without the need for national implementation. Whilst the UK’s vote on the EU referendum is still pending, you should note that any business operating within the EU, even if it is based outside of it, will still have to comply with the new regulations.
Whilst it is beneficial for business to refer to one set of regulations for all the European countries in the Union, it is important that you set up your own structure for data protection that will handle the requirements of the new GDPR.
If you have any questions arising from this article or would like further information on the GDPR, please get in touch with a member of our Commercial team.