Businesses both within, and transacting with, the EU need to plan to manage the significant impact and major penalty regime of the new regulations.
The Data Protection Directive of 1995 provided only for a basic level of security measures relating to data protection on which EU member states could improve, if they so wished, which resulted in differing approaches and regimes within the member states. The new regulations, drafted in January 2016 (see article here), are designed to provide a more uniform approach.
What are the main changes?
- Increase in sanctions for breach. Fines of up to 2% of global turnover may be imposed or €10m, whichever is the greater. In more serious cases, such as unlawful international transfers, fines can amount to up to 4% of global turnover, or €20m if that is greater.
- If the activities of data controllers and processors outside the EU relate to offering goods and services to EU citizens, they will be caught by the Regulations. The means of enforcing this against companies that do not have a place of business within the EU is unclear.
- Consent to data processing must be freely given, specific and informed and requires “clear affirmative action” by the individual concerned. Consent will not be treated as freely given where the data subject had no genuine and real free choice and cannot refuse or withdraw consent without detriment. This may well cover many employment situations in which, generally, an inequality in the bargaining position is seen as existing between the employer and the employee. This presents a further area of uncertainty, particularly in the case of sensitive personal data and data to be transferred outside the EU.
- The scope of “sensitive personal data” is expanded to specifically take account of genetic information.
- Breaches must be notified by a data processor to the national data protection authority without delay (at least within 72 hours).
- A new right “to be forgotten”. Individuals are permitted to request data processors to permanently delete their information.
- A new concept, “pseudonymisation”, where data is processed on an anonymised basis but where there is information capable of identifying an individual which is separately processed. This data will be subject to the Regulations.
- Increased obligations for data controllers such as undertaking impact assessments in cases of high risk for individuals and demonstrating compliance, for example by showing adherence to approved codes of conduct and paper trails for decisions relating to data processing.
- A new European Data Protection Board will be established, and will comprise the heads of each member state’s national data protection authority.
Impact on international data transfers
The position on international data transfers has not materially changed although the EU Commission, in assessing whether countries outside the EU have adequate legal protections for EU citizens’ data, will specifically have to take account of national security laws and the availability of effective redress for individuals. This is the result of the Schrems Decision where the Court of Justice in the European Community (CJEU) ruled that the Safe Harbor agreements in the US no longer provided adequate protection for EU citizens for data transferred to and processed in the USA (see articles here and here).
Impact on your business
The Regulations are likely to take effect from early to mid-2018, so businesses should assess now how they need to change their policies, systems and processes to make them compliant.
Amongst other services, we can assist with:
- Identifying the means to demonstrate compliance.
- Ensuring that consent processes are compliant with the new requirements.
- Training staff on responding to rights of removal.
- Ensuring procedures for responding to data subject access requests are compliant with the new procedures.
- Assigning overall responsibility for data protection compliance.
- Designing a full compliance program for your organisation.
Should you require assistance in assessing how to revise your Data Protection policies to align with the new rules, please get in touch.
Content is for general information purposes only. The information provided is not intended to be comprehensive and it does not constitute or contain legal or other advice. If you require assistance in relation to any issue please seek specific advice relevant to your particular circumstances. In particular, no responsibility shall be accepted by the authors or by Abbiss Cadres LLP for any losses occasioned by reliance on any content appearing on or accessible from this article. For further legal information click here.
Circular 230 disclosure
To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this article (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.