General Data Protection Regulation: Are you ready?
'Businesses should check their procedures for deleting data that is no longer adequate, necessary, up to date and accurate.'
After four years of negotiations, the General Data Protection Regulation (the GDPR) was formally adopted by the European Parliament on Thursday 14 April 2016. Although it is not expected to come into force until Spring 2018, now is the time for businesses to start their preparations for the GDPR. In our latest Data and Privacy Update we look at ten key changes GDPR will introduce for businesses.
- Fines – monetary penalties under the GDPR are up to the greater of €20 million or 4% of total worldwide annual turnover. The risks of non compliance have significantly increased.
- Risk based approach – the GDPR removes the obligation for data controllers to notify or ‘register’ with their local data protection authorities. Instead, both controllers and processors are required to maintain detailed records of their processing activities.
- Data Protection Officers – businesses must designate a Data Protection Officer if their core business activities involve regular and systematic monitoring of data subjects on a large scale. Corporate groups may appoint one DPO across the group.
- Consent – consent must be freely given, specific, informed and an ‘opt out’ approach will not be sufficient. It will no longer be possible to embed consent clauses in lengthy terms and conditions.
- Children – the GDPR entitles member states to set threshold age for consent anywhere between 13 and 16 (with the default being 16). For children below that age, organisations will be required to take ‘reasonable steps’ to verify that consent has been given by a parent or guardian, ‘taking into consideration available technology’. Businesses should start thinking now how to put systems in place to verify online users’ ages.
- Notifying data breaches – Data controllers will have to notify their relevant supervisory authority (in the UK, the ICO) of any personal data breaches without delay and within 72 hours of the breach occurring. The only exception is where the breach is not likely to result in a risk to the rights and freedoms of the affected individuals: but expect the exception to be applied narrowly!
- ‘Right to be forgotten’ – data subjects will have enhanced rights to require the data controller to delete data. Businesses should check their procedures for deleting data that is no longer adequate, necessary, up to date and accurate.
- Data processors – currently responsibility for compliance with data protection legislation lies with the data controllers and data processors have largely escaped risk or censure. The GDPR imposes a number of new obligations on data processors, and introduces the risk of monetary penalties and claims from data subjects for non-compliance.
- The ‘one stop shop’ where a data controller or processor carries out processing activities across multiple EU territories, it will be accountable only to one ‘lead’ supervisory authority (ie the supervisory authority of the member state in which the controller or processor has its ‘main establishment’).
- Extraterritorial scope – even if they are not ‘established’ in the EU, businesses will be subject to the GDPR, if they offer goods and/or services to EU data subjects or they monitor behaviour of EU data subjects.
15 Apr 2016