The General Data Protection Regulation (GDPR) was finally published in the Official Journal of the European Union on 4 May 2016. The implementation date has been confirmed as 25 May 2018.
From this date, any organisation established within the EU that is holding, storing or using personal data will be required to comply with the new rules.
The GDPR amounts to the biggest shake up in data protection for over 20 years. The Regulation will replace national data protection laws across Europe, including the Data Protection Act 1998 (DPA).
The key changes include:
There is an increased focus on obtaining an individual's explicit consent before their personal data is processed, and allowing individuals to withdraw their consent at any time.
Individuals' rights: greater rights are given to individuals over their personal information, including:
(i) the right to be provided with more information about how their personal data will be used when it is being collected;
(ii) the 'right to be forgotten' or obtain the erasure of personal data;
(iii) increased rights of access, including a new right for individuals to have their personal data provided to them in a structured, commonly used format; and
(iv) a new right to transfer personal data from one data controller to another.
Expansion to processors
For the first time, data processors can be held liable for breaches in their own right, and obligations no longer fall solely on data controllers.
Data controllers and data processors will be required to retain records on what personal data is being processed and why. They must also record who may access that information, where that information is being held, the security measures implemented and how long that information will be held.
Subject access requests
The time period for complying with a subject access request is reduced from 40 days to one month.
The GDPR increases the maximum level of fines that can be levied for a breach of the rules to the greater of €20 million or 4% of an undertaking's total global turnover.
Data controllers are required to notify the Information Commissioner of a breach within 72 hours in certain circumstances, Notification may also be required to the individuals affected by a serious breach.
Data Protection Officer
A Data Protection Officer (DPO) with "an expert knowledge of data protection law" must be appointed where an organisation is undertaking regular monitoring of individuals, or large scale processing of information about an individual's racial or ethnic origins, political opinions, medical information and/or information about criminal convictions.
The GDPR will have a significant impact on all organisations in the European Union, as well as non-European organisations that provide goods and services in Europe. Now that the clock has started ticking, it is vital that organisations understand the impact of the Regulation on their activities, so that they can take steps to implement the changes.
The first step will be to carry out a data mapping exercise to identify all data flows within your organisation. In particular, the processing conditions relied upon will need to be reviewed and documented. Changes to systems and procedures are likely to be required and could take some time to implement.
If you have any queries or would like to discuss how we can help your organisation to prepare for the GDPR, please contact Alison Deighton on +44 (0)333 006 0160.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at May 2016. Specific advice should be sought for specific cases. For more information see our terms & conditions.