After almost four years of debate, the European Commission, Parliament and Council finally reached political agreement on the proposed General Data Protection Regulation (the "GDPR") in December 2015.
The final official text of the GDPR has yet to be released and is currently still subject to legal-linguistic review. However, a compromise text has been made available on the European Parliament's website (the "Compromise Text") and, whilst there may be some tweaking around the edges before the final version is published in the Official Journal, this offers a good insight for organisations as to what will be required of them when the GDPR finally comes into effect.
Our TMT team's eBulletin gives an overview of what has been agreed in relation to some of the key compliance issues for organisations, including as to data security and sanctions which are not only relevant from a pure data protection compliance perspective, but also in the broader context of data issues and cyber security.
Business Impact Summary
- Extra-territoriality – the GDPR will extend to data controllers located outside of the EU who offer goods and services to EU citizens or monitor their behaviour.
- Fair Processing Information – the GDPR will require data controllers to provide more information to data subjects in their fair processing notices.
- Consent – consent will need to be freely given, specific, informed and unambiguous, involving a clear affirmative action on behalf of the data subject.
- Rights of the Data Subjects – the GDPR will provide more transparency for data subjects with respect to the processing of their data, as well as enhanced rights to rectify, delete, restrict, or object to, data being processed. There will be additional obligations on data controllers when dealing with subject access requests, save that manifestly unfounded or excessive requests may be refused.
- Controller/Processor Accountability – the GDPR will give statutory recognition to best practice concepts such as data protection by design, imposing greater accountability on data controllers, as well as placing data processors on the hook for certain regulatory liability for the first time.
- International Transfers – binding corporate rules will be given statutory recognition; criteria for adequacy decisions are set-out, and new possibilities for adequate protection are provided in the form of codes of conduct and certifications.
- Data Protection Officer – the mandatory appointment of a data protection officer for organisations will be restricted to limited circumstances involving sensitive personal data or the monitoring of data subjects.
- Security – the GDPR will set-out slightly more detailed requirements for security of data but the responsibility for determining appropriate security measures will remain with the data controller.
- Data Breaches – the GDPR will introduce a new mandatory requirement for data controllers to notify the regulatory authority of personal data breaches.
- Sanctions – the GDPR will provide for two tiers of sanctions, with maximum fines of up to EUR 20 million or 4% of annual worldwide turnover, whichever is greater.
- Guidance, Codes of Conduct and Certifications – the GDPR sets out certain areas where we can expect/hope to either see further guidance in the future from the new European Data Protection Board, or potentially the development of approved Codes of Conduct and/or certification mechanisms.