Updated Tuesday, August 30, 2016
In April 2016 the EU General Data Protection Regulation (GDPR) was signed into law by the European Union. It will take effect in all member states two years after its formal adoption.
The regulation represents the most significant global development in data protection law since the EU Data Protection Directive in 1995. A “regulation”, unlike a “directive”, will be applicable in all EU member states without the need for national legislation. The regulation’s aim is to harmonise data protection law across all member states. It will supersede the UK Data Protection Act.
The changes are designed to make sure that people’s personal information is protected – no matter where it is sent, processed or stored – even outside the EU. They will give people more control over their own personal data.
Benefits to companies
Many of these changes will add a significant burden to companies storing personal data, especially companies that are outside of the EU. However, there are many business benefits as well. The ‘one-stop-shop’ will streamline cooperation between the data protection authorities on issues with implications for all of Europe. Companies will only have to deal with one authority, not 28. It will ensure legal certainty for businesses. Businesses will profit from faster decisions, from one single authority (eliminating multiple contact points), and from less red tape.
This process started in January 2012 when the European Commission put forward its EU Data Protection Reform and it has been delayed many times. However on 15 December 2015, an agreement was reached between the European Parliament, Commission and Council, which paved the way for final adoption.
- 27 April 2016 – Adoption
- 25 May 2018 – Enforcement date
What is changing?
Below are some of the primary changes over the previous European directive. Some of these points are already in place in various jurisdictions. Your own requirements for change may vary depending on your firm’s current procedures and jurisdiction.
One law throughout the world
This new regulation will replace all data protection laws throughout Europe. Instead of dealing with 28 different legislations when processing personal data in Europe, there will be one regulation that will overrule national laws and the current Directive.
The regulation will also apply any to non-EU companies that process the data of EU residents. This is true even if a company has no physical presence in the EU. This will be a particularly tricky provision for many companies in the US which has lower data protection standards than the EU.
The one-stop shop regulation is potentially good news for law firms. Many law firms currently have clients in other countries and have data stored around the world. Under the new regime, firms will only need to comply with one set of laws. In addition, many law firms use cloud services with data stored in the US. Under previous regulation, it was, at times, unclear whether that data complied with local law.
Note – On 15 October 2015, the European Court of Justice ruled that the Safe Harbor agreement that allowed the transfer of European citizens’ data to the US is no longer valid. EU-based firms must now ensure that cloud services have agreed to model clauses for the transfer of personal data to third countries. The “model clauses” are a standard form of contract, approved by the European Commission (EC), that provide a mechanism for parties which use that contract to transfer or export data from Europe in accordance with cross-border transfer requirements.
On 12 July 2016 European officials approved a new agreement (EU-US Privacy Shield) that allows more than 4,000 companies that have registered with the Department of Commerce to transfer data between Europe and the United States. The new safeguards include a greater say for Europeans on how their information is used, the right to go to American courts when people think companies or the United States government may have misused their data, and written guarantees from American officials that government agencies will not indiscriminately collect and monitor Europeans’ data without cause.
At current time it remains unclear whether Europe’s highest court could eventually overturn the pact, but legal experts say the case, if filed, would not be heard until late 2017 at the earliest.
Article 7 of the regulation requires that people give consent to the processing of their personal data. The burden of proof for consent is on the data processor. If the consent is in the context of a written declaration which also concerns another matter, the requirement to give consent must be presented in a distinguishable manner.
For law firms this means that they should add data consent forms to their process for onboarding clients and employees. These forms should explain what data is collected, why it is collected and how it is stored and processed.
Right of portability
This will allow a user to request a copy of personable data in a usable format and the ability to transfer all data from one provider to another. Individuals will also be able to request information on how their data is processed and stored.
Right to be forgotten
Article 17 of the regulation states that when an individual no longer wants their data to be processed, and provided that there are no legitimate grounds for retaining it, the company or firm storing the data will be required to delete it.
Right to know when you are hacked
Companies and organisations must notify the national supervisory authority of data breaches which put individuals at risk and communicate to the data subject all high-risk breaches as soon as possible so that users can take appropriate measures.
Privacy by design
Privacy by design means that each new service or business process that makes use of personal data must take the protection of such data into consideration during the design phase.
Privacy by default
Organisations must ensure that, by default, privacy settings should be set to high. Only personal data that has a purpose should be collected and retained; and only for the minimum time necessary for those purposes. In particular, personal data should not be automatically accessible to anyone on the internet. No manual change to the privacy settings should be required on the part of the user.
Data protection officer
All businesses with more than 250 permanent staff, and organisations with “core activities” that “consist of processing operations which … require regular and systematic monitoring of data subjects” will be required to appoint a Data Protection Officer.
DPOs should have “expert knowledge of data protection law and practices”. They should assign data protection training to staff and liaise with regulators over personal data breaches. DPOs would need to be appointed for a period of at least two years, but could be either an internal employee or a person external to the organisation. In either case the DPO would have to “be in a position to perform their duties and tasks independently”.
The following sanctions can be imposed for non compliance:
- A warning in writing in cases of first and non-intentional non-compliance
- Regular periodic data protection audits
- A fine of up to €20,000,000 (£15.3m) or up to 4% of annual worldwide turnover, whichever is greater
Five steps to prepare
- Get your privacy policies, procedures and documentation in order and keep them up to date: data protection authorities will be able to ask for these at any time. Prepare your organisation to fulfil the “right to be forgotten” and the “right to data portability” requirements.
- Form a governance group that oversees all of your privacy activities, led by a senior manager or executive. If you have over 250 employees, appoint a data protection officer. The group should develop metrics to measure the status of privacy efforts, report regularly and create statements of compliance that will be required as part of your organisation’s annual report.
- Implement a breach notification process and enhance your incident detection and management processes. Any data breach must be notified to the relevant data protection authority.
- Perform an audit of your external data processors and cloud storage vendors. Ask them for copies of their data protection policies and ensure that they are enacting “privacy by design” and “privacy by default”.
- Review whether your forms of consent are adequate, specific, informed and explicit. Implicit consent can no longer be relied on in any case where there is a significant imbalance between the position of the data subject and the data processor. If you use personal data for direct marketing, it will be necessary to offer a very clear right for the data subject to object to processing.
Challenges to Adoption
There are many challenges to adoption, including:
- The implementation of the EU GDPR will require comprehensive changes of business practices for companies that had not implemented a comparable level of privacy before the regulation entered into force (especially non-European companies handling EU personal data).
- There is already a lack of privacy experts and knowledge as of today and new requirements might worsen the situation. Therefore education in data protection and privacy will be a critical factor for the success of the GDPR.
- The European Commission and DPAs have to provide sufficient resources and power to enforce the implementation and a unique level of data protection has to be agreed upon by all European DPAs since a different interpretation of the regulation might still lead to different levels of privacy.
Brexit will not affect data protection laws
There has been a lot of confusion and fear mongering around the implications of Brexit to Data Protection law.
However, despite the current media frenzy, nothing will actually change in the short term. The Data Protection Act 1998 is an Act of UK Parliament and remains the law of the land regardless of the UK’s EU status. The ICO made this point clear when it release a prompt statement on 24 June:
“The Data Protection Act remains the law of the land irrespective of the referendum result.”
In other words, for at least the next two years there will effectively be no changes to data protection laws.
- Information Commissioner’s Office guidance on GDPR
- EU data protection page
- EU data protection news room
- The regulation