The EU General Data Protection Regulation (GDPR)
The final version of the EU General Data Protection Regulation (GDPR) is anticipated to be released in early 2016. Organisations should take action now to implement appropriate measures for improved data security.
The Regulation will enforce tough penalties – proposed fines up to 4% of annual global revenue or €20million, whichever is greater.
Below is a breakdown of the key changes proposed by the Regulation:
- If your business is not in the EU, you may still have to comply with the Regulation
Non-EU controllers (and possibly non-EU processors) that do business in the EU with EU data subjects’ personal data should prepare to comply with the Regulation. Although regulation beyond EU borders will be a challenge, those providing products or services to EU customers or processing their data may have to face the long arm of the law if an incident is reported.
- The definition of personal data will become broader, bringing more data into the regulated perimeter
The Regulation proposes that data privacy should encompass other factors that could be used to identify an individual, such as their genetic, mental, economic, cultural or social identity. Companies should take measures to reduce the amount of personally identifiable information they store, and ensure that they do not store any information for longer than necessary.
- Rules for obtaining valid consent will change
The consent document should be laid out in simple terms, and there is a proposal that the consent have an expiry date. Silence or inactivity should not constitute consent.
- The appointment of a data protection officer (DPO) may be mandatory
At the moment, there is still no agreement on the thresholds for appointing a DPO. There have been proposals to appoint a DPO for each company over 250 employees, and, in other instances, where companies process more than 5,000 data subjects a year.
- The introduction of mandatory privacy risk impact assessments
A number of proposals have suggested conditions under which a privacy risk impact assessment will be required. What seems to be clear is that a risk-based approach must be adopted before undertaking higher-risk data processing activities. Data controllers are likely to have to conduct privacy impact assessments to analyse and minimise the risks to their data subjects.
- The introduction of data breach notification regulations and changes in liability will have a profound impact on the supply chain
There is no obligation to notify authorities of data breaches under the current Directive, although there are some sector-specific requirements, such as those applicable to communications providers and ISPs under the E-Privacy Directive.
It is still unclear how prescriptive the final Regulation will be. In principle, there is an agreement that processors and controllers should be responsible for implementing effective technical and organisational security measures to protect individual data. In addition, the regulator should be notified of data breaches and, where the breach puts individuals’ data at risk, the data subjects should also be informed.
Processors will be required to alert and inform controllers immediately (or without undue delay) after a data breach. Although the exact timelines for breach notification are still unclear, these changes place a greater emphasis on supply chain data security. Regular supply chain reviews and audits will be required to ensure they are fit for purpose under the new security regime.
The new Regulation clearly calls for more effective data breach investigation, categorisation, containment and response infrastructure.
New contracts being negotiated will need to be future-proofed for the Regulation. Parties will need to document their data responsibilities even more clearly, and the increased risk levels will impact negotiations on security standards, risk allocation and pricing.
- The right to be forgotten
The Regulation proposes that data subjects should have the “right to be forgotten”. This will also extend to search engines. The extent to which data controllers should be burdened with the responsibility of deleting information remains a subject of disagreement.
- The international transfer of data
Since the Regulation will also be applicable to processors, organisations should be aware of the risk of transferring data to countries that are not part of the EU. Non-EU controllers may need to appoint representatives in the EU.
- Data portability
Data portability is still a hotly debated subject, with many questioning how practical the proposed requirements for portability are. Data portability will allow a user to request a copy of personal data in a format usable by them and electronically transmissible to another processing system.
- Privacy by design
The current EU Directive does not include any clauses related to privacy by design. There are proposals that controllers must implement appropriate measures to ensure that processing protects the rights of the data subject, that only the minimum personal data will be processed, and that the data is not disclosed more widely than necessary. The essence of privacy by design is that privacy in a service or product is taken into account not only at the point of delivery, but from the inception of the product concept.