A new data protection landscape
After more than four years of discussion, the EU’s new data protection framework has been announced. The General Data Protection Regulation (GDPR) will replace the current Directive on 25 May 2018 and will apply to all Member States. However, the new framework is much further reaching and has onerous obligations for businesses so is likely to have an immediate impact as businesses prepare for its implementation next year.
What you need to know
In its simplest form, the GDPR redefines what data (and how much of it) can be held by a business plus the responsibilities and duties the business will have in holding the data. Below we have outlined some of the key aspects of the new regulations and how businesses can best prepare.
Expanded geographical reach
The GDPR catches businesses outside the EU who offer goods or services to, or monitor the behaviour of, EU data subjects. In practice this means that a company outside the EU which is targeting consumers in the EU will be subject to the GDPR.
Onerous accountability obligations
The GDPR places demanding accountability obligations on businesses including the maintenance of key documentation, data protection impact assessments and implementation of data protection by design and by default.
Data Protection Officers
Certain circumstances will require businesses to appoint a Data Protection Officer (the DPO). It’s essential that you identify if these circumstances apply to your business.
Consent must be “freely given, specific, informed and unambiguous” and requests must be in clear, plain language separate from other terms. Businesses are required to be able to demonstrate consent and consent may be withdrawn easily.
Businesses must continue to provide transparent information about data usage at the time the personal data is obtained.
Data breach notifications
Businesses are obliged to report data breaches to the Data Protection Act without undue delay and, where possible, within 72 hours.
A tiered approach to penalties will be established resulting in potential fines of up to of 4% of annual worldwide turnover or €20 million (whichever is higher).
The ‘One-Stop-Shop’ mechanism is one of the key elements of the GDPR but is significantly more complicated than anticipated as it distinguishes between cross-border and domestic processing. How the One-Stop-Shop will work in practice remains to be seen.
European Data Protection Board
An independent EDPB will be established to issue opinions and guidance, ensure consistent application of the GDPR and report to the European Commission.
Binding corporate rules
In order to legitimise intra-group international data transfers, the GDPR will expressly recognise binding corporate rules. These rules must be legally binding and apply to every member of the group.
Rights of individuals
The rights of individuals was central to the new data protection framework and these strengthened rights are clearly reflected in the legislation. Though the obligations will often be difficult to manage in practice, it’s essential that businesses implement clear processes to enable them to meet these obligations.
KEY QUESTIONS TO ASK YOURSELF
Which of the new obligations will apply to my organisation?
How does my current state of compliance compare with the standard required under the GDPR?
What changes do I need to make, how long will these take to implement and what are the likely costs?
8 things you should be doing now to prepare:
Prepare for data security breaches
Clear policies and well-practised procedures will enable your business to react quickly to a data breach and notify the required authorities in time.
Accountability is key
If required, appoint a data protection officer. Ensure policies are clear and meet the required standards. Regularly monitor, review and assess data processing procedures. Check that all staff have received appropriate training and understand their obligations.
Establish ‘privacy by design’
Ensure that privacy is a core consideration when implementing new processing or deploying new product.
Understand the legal basis
Consider the type of data processing you undertake and whether you rely on consent as it is just one of a number of different ways of legitimising processing activity.
Check your privacy notices and policies
Information provided in these documents must be transparent, easily accessible and in clear and plain language.
Keep data subjects front of mind
Be prepared for data subjects to exercise their newly expanded rights and remember that the burden of proof will always fall on you.
Do you have new obligations as a supplier?
The first and most important considerations are the direct obligations imposed by the GDPR which must be understood and built into policies, procedures and contracts. However, customers are likely to expect that your services are compatible with the all requirements of the Regulation (even those that don’t directly affect your data processing).
Always ensure that you have a legitimate basis for transferring personal data internationally (including intra-group transfers). Though this is not a new concern, the consequences of non-compliance could be severe.
If you have any questions about how the GDPR is likely to affect your business, please speak to your Account Director or contact our office directly.