Introducing our series of guides to the EU General Data Protection RegulationPrint publication
The EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018. So businesses have just over 17 months to get to grips with the changes and ensure that their policies, procedures, systems and processes are compliant with the new regime. In the run-up to implementation, Walker Morris will be producing regular guides to steer businesses through the key provisions and offer practical tips on planning ahead and making sure they are compliant by 25 May 2018.
What is the GDPR?
The GDPR will replace the existing data protection regime. It is a piece of EU legislation which aims to:
- harmonise data protection laws by the creation of an EU-wide single legal framework
- recognise and embrace technological advances for businesses and
- strengthen citizens’ fundamental data protection rights.
The GDPR applies to both data controllers and data processors operating within the EU. Importantly, non-EU data controllers and data processors are also within its scope if they offer goods or services to or monitor the behaviour of EU data subjects.
The GDPR is a Regulation – not a Directive – which means that it applies uniformly across all 28 EU Member States (subject to limited national derogations) and does not require individual Member States to implement domestic legislation.
25 May 2018 is the key date – there will be no transitional arrangements. Businesses must therefore be compliant with the GDPR when it comes into force on 25 May 2018.
What about Brexit?
The government confirmed in late October 2016 that, for data protection at least, Brexit doesn’t mean Brexit and the UK will be implementing the GDPR. It is unclear at this stage what changes if any will be made to data protection laws once the UK leaves the EU. The Information Commissioner recognises that there may still be questions as to how the GDPR will work post-Brexit, and has said that the Information Commissioner’s Office (ICO) “will be working with government to stay at the centre of these conversations about the long term future of UK data protection law…”
- Increased enforcement powers: A two-tier system will introduce:
- fines of up to 2% of annual global turnover or €10 million, whichever is the greater, for violations relating to certain administrative data protection failings
- fines of up to 4% of annual global turnover or €20 million, whichever is the greater, for violations relating to certain more fundamental failings, such as breaches of data protection principles and data subject rights.
- Appointment of Data Protection Officer (DPO): This will be mandatory for public authorities and organisations carrying out large scale systematic monitoring of data subjects or large scale processing of special categories of data (i.e. sensitive personal data). The DPO must be a data protection law expert.
- Record keeping: Businesses will be required to maintain detailed records of their data processing activities. This is part of the greater emphasis on accountability and transparency.
- Direct obligations for data processors: These will be enforced through the levying of fines and other penalties. Data processors will be liable to compensate individuals whose rights have been infringed.
- A ‘one stop shop’: Businesses operating in more than one Member State will interact with a single national Data Protection Authority as their lead supervisory authority.
- Enhanced data protection rights: Individuals will have greater rights which will see changes to the Subject Access Requests (SARs) regime and the introduction of new rights, namely the right to be forgotten, the right to object to profiling and the right to data portability. Consent to processing will also be harder to obtain.
- Privacy by design and by default: This is a new concept which is intended to ensure that data protection issues are taken into account as a matter of course. The new rules require organisations to implement privacy both by design (so data protection safeguards are built into all processing activities) and by default to ensure that the minimum amount of data is processed.
- Data breach notifications: There will be a new obligation for data controllers to notify data breaches to the ICO without undue delay and where feasible within 72 hours of becoming aware of the breach.
What about international data transfers?
There are no material changes in this area. Existing Commission decisions on adequate safeguards/levels of protection for cross-border transfers of EU personal data will continue to apply until they are amended, replaced or repealed.
Much has been written recently about the legal challenges to the EU-US Privacy Shield (the framework for transatlantic exchanges of personal data for commercial purposes which replaced the ‘Safe Harbor’ regime) and the uncertainty over the future validity of the EU Model Clauses (an alternative transfer mechanism for transferring data to any third country, not just the US). For more information see our recent newsflash EU-US Privacy Shield challenged before the European court and the Data Protection section of our Regulatory round-up – November 2016.
There is no immediate impact on data transfers to the US or any other third country and Walker Morris will continue to monitor and report on developments in this area.
So, what should businesses be doing now?
Given the increased level of fines, businesses now have 20 million reasons for getting compliance with the GDPR right.
The key to compliance is:
- ensure you understand in detail how you currently deal with personal data;
- ensure you understand how the new requirements will impact your business; and
- develop a comprehensive compliance strategy including an implementation timetable to ensure that you are ready for 25 May 2018.
The best place to start is by carrying out a full information audit to identify, amongst other things, what personal data is collected, how it is processed, where it is stored, the security measures which are in place to protect the data and how long data is retained.
Using the results of the audit businesses should carry out a gap analysis to identify what needs to be done to bring the existing policies, procedures, systems and processes into line with the requirements of the new regime.
The outcome of the information audit and the gap analysis should form the building blocks of the business’ GDPR compliance strategy. As changes to systems and processes can require a significant lead-in time, it is important that the strategy includes a timetable to ensure that businesses are able to meet the deadline of 25 May 2018.
Each of our upcoming guides will focus in more detail on a key aspect of the GDPR, offering practical tips as businesses prepare for implementation.
If you have any queries or concerns relating to the new legislation, or if you would like advice and assistance with undertaking an information audit and gap analysis exercise, please do not hesitate to contact Jeanette Burgess, Andrew Northage or any member of Walker Morris’ Regulatory and Compliance Team.