General Data Protection Regulation (GDPR)

‘GDPR Primer’ is the first in a series of in-depth posts from compliance experts iCompli designed to help you successfully navigate your way around the new global data protection law! Yes, it is global.

• The new law will be in force from May 25th, 2018
• It extends the protection of EU law beyond its political boundaries
• The maximum penalty for a breach of the law is greatly increased to up to €20M or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher
• There is increased protection for the rights of individuals

In January 2012, recognising the need for the then current Data Protection Directive to be bought in to the 21st Century, the European Commission published a draft General Data Protection Regulation (GDPR) as part of a package of reform.

Four years later, and after much lobbying and debate, the final version of the Regulation was published in the EU Official Journal (OJ) on May 4th, 2016. You can download the final version here

For the 'detail people'

Article 16 of the Treaty on the Functioning of the European Union (TFEU), contains the specific provision ‘Everyone has the right to the protection of personal data concerning them’.

The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

Previously, we had an EU Directive, the Data Protection Directive (95/46/EC) which is implemented via National legislation in individual member states e.g. via the Data Protection Act 1998. This Directive will be replaced by the General Data Protection Regulation (2016/679) on May 25th, 2018.

A Regulation is different from a Directive being immediately enforceable as law in all member states without implementing legislation, although there is provision for a member state to legislate for special rules. Watch out in sectors like health and finance for new laws.

Key GDPR Changes

In this, the first of our update posts, we introduce the regulatory changes that will likely have the greatest impact on your businesses. Later posts will focus on business specific details of the Regulation.

1. A single EU-wide set of rules which will simplify cross border marketing and sales including a provision to choose a single supervisory body. Good news for multinational businesses.

     2. A global reach: if your business is not in the EU, but your customers or prospects are, they will be protected by the General Data Protection Regulation.

3. Accountability! Organisations who carry out large (as yet undefined) scale and systematic monitoring of people, particularly sensitive data, will have to appoint a Data Protection Officer (DPO). He or she has specific legal tasks to carry out, including monitoring compliance with the Regulation and liaising with the authorities.
4. Privacy by design and by default: It’s no longer an after-thought, data protection must evidentially be designed in to your products, services and business processes. Conducting and documenting your data protection impact assessments (DPIAs) is set to become an everyday task.
5. Stronger individual rights: Many are ‘qualified’, but they still require careful attention. They include rights to ‘data portability’, ‘data erasure’, and a right to be informed of a ‘data breach’ (personal data breach).
6. Notification cessation: Data controllers will no longer be required to Notify the authorities of their data processing activities.

Next in the GDPR series

Our next update in the GDPR series will be the 'Chief Marketing Officers primer to the GDPR'. due for publication on May 27th, 2016.