The EU General Data Protection Regulation (GDPR) will rip up existing data protection laws.
Share this article
You don’t need to be a privacy practitioner to have noticed that data protection has seldom been out of the news in recent months. Whether it be legal or political wrangling over the abolishment of EU-US Safe Harbor, the UK’s “Snooper’s Charter” or one of the many recent high profile cyber hacks, privacy issues now regularly hit the headlines.
This trend shows no sign of slowing down either, especially with the new EU General Data Protection Regulation (GDPR), which is the most significant overhaul of EU data protection regulations in recent years, due to become law in May 2018 and which will essentially rip up the existing legal framework.
Interestingly perhaps is the fact that few companies are reported to have made efforts to bring themselves into line with the GDPR, despite the sand timer being in full flow. Given the fact these new laws have extraterritorial reach and will catch companies who didn’t need to concern themselves with such laws historically, this is somewhat surprising.
So what does this new law do exactly and what steps should companies caught by it be doing to ensure compliance?
What does the law say?
The new laws will replace the current EU Data Protection Directive 95/46/EC. As a Regulation and unlike the old law, the new laws will be directly applicable in all EU member states.
Key specific changes include the following:
§ Accountability – crucially, those caught will be required to show compliance e.g. (i) maintain certain documents; (ii) carry out Privacy Impact Assessments; (iii) implement Privacy by Design and Default (in all activities), requiring a fair amount of upfront work.
§ Data protection officers (DPOs) – in many circumstances, those caught by the GDPR will also need to appoint DPOs and so thought will need to be given as to whether this applies and, if so, who that person or persons might be.
§ Consent – new rules are also introduced relating to the collection of data, e.g., consent must be “explicit” for certain categories. Existing consents may no longer therefore be valid and consents obtained should be purged going forward.
§ Enhanced rights for individuals – new rights are introduced around (i) subject access; (ii) objecting to processing; (iii) data portability; and (iv) objecting to profiling, amongst others.
§ Privacy policies – fair processing notices now need to be more detailed, e.g., new information needs to be given about these new enhanced rights for individuals. Policies will need updating therefore.
§ International transfers – Binding Corporate Rules for controllers and processors as a means of legitimising transfers are expressly recognized for the first time and so should be considered as a transfer mechanism.
§ Breach notification – new rules requiring breach reporting within 72 hours (subject to conditions) are introduced and so processes in place (or not) will need to be revisited to accommodate these rules.
Who has to comply?
All organisations operating in the EU will be caught by the new rules. Importantly, organisations outside the EU, like U.S.-based companies that target consumers in the EU, monitor EU citizens or offer goods or services to EU consumers (even if for free), will also have to comply.
The GDPR also applies to “controllers” and “processors”. What this means, in summary, is that those currently subject to EU data protection laws will almost certainly be subject to the GDPR and processors (traditionally not subject) will also have significantly more legal liability under the GDPR than was the case under the prior Directive.
What should businesses be doing?
To ensure compliance, companies need to ensure that they have robust policies, procedures and processes in place. With the risk of heavy fines under the GDPR, not to mention the reputational damage and potential loss of consumer confidence caused by non-compliance, nothing should be left to chance. In terms of key first steps, companies might consider prioritising the following as a minimum:
§ Review privacy notices and policies – ensure these are GDPR compliant. Do they provide for the new rights individuals have?
§ Prepare/update the data security breach plan – to ensure new rules can be met if needed.
§ Audit your consents – are you lawfully processing data? Will you be permitted to continue processing data under the GDPR?
§ Set up an accountability framework – e.g., monitor processes, procedures, train staff.
§ Appoint a DPO where required.
§ Consider if you have new obligations as a processor – is your contractual documentation adequate? Review contracts and consider what changes will be required.
§ Audit your international transfers – do you have a lawful basis to transfer data?
With the UK set to leave the European Union, there is much ongoing discussion about what the post-Brexit regulatory regime may look like. It is generally accepted, however, that after the UK leaves the EU, UK laws will nevertheless track the GDPR (e.g. via some form of implementing legislation or a new UK law which effectively mirrors the GDPR).
In other words, even if you are purely a UK company, or you are outside the UK and targeting UK consumers only, you should not ignore these changes on the basis Brexit is some sort of get out of jail free card.
As May 2018 rumbles ever closer, the takeaway point is that companies need to start thinking about compliance to avoid being made an example of and before it is too late.
This piece was co-authored by Steven Farmer, Counsel, Pillsbury Law.