Effect on Data Processors
The GDPR directly regulates "data processors" for the first time. The current Data Protection Directive regulates data controllers rather than "data processors" who are organisations/individuals engaged by a data controller to process personal data on the data controller's behalf.
Expanded Territorial Scope
The GDPR applies to all data controllers/data processors processing the personal data of data subjects residing in the European Union, regardless of the data controller's/data processor's location. This means that many non-EU businesses that were not required to comply with the Data Protection Directive will be required to comply with the GDPR. Non-EU businesses processing the data of EU citizens will need to appoint a representative in the EU.
Increased Enforcement Powers
Under the GDPR, data breaches could result in fines up to 4% of annual global turnover (or 20 Million Euros, whichever is greater). For violations relating to internal record keeping, data processor contracts, data security and breach notification, the GDPR allows for fines up to 2% of annual global turnover (or 10 Million Euros, whichever is greater). Accordingly, it would be prudent for organisations to review how they obtain, use and secure personal data. Data processing procedures should be monitored and reviewed with the aim of minimising data processing and retention of data. It is worth noting that under the GDPR, data processors may also be liable for high fines.
New Rules for Obtaining Consent to Process Data
The GDPR requires a very high standard of consent for the processing of personal data. The burden of demonstrating that the legal standard of “consent” has been achieved will lie with organisations, so businesses should review whether their documents and forms of consent are adequate, and check that consents are freely given, informed and specific. Where the data processing has multiple purposes, the data subject should give consent to each of the processing purposes. Businesses also must ensure that a data subject can withdraw his/her consent to the processing of their personal data at any time.
Reporting Security Breaches
The GDPR requires that businesses will have to report breaches that are likely to harm individuals to national authorities (the ICO in the UK) within 72 hours. If the breach might result in high risk to the affected individuals, businesses must inform these individuals "without undue delay". Organisations should develop a data breach response plan enabling them to respond quickly in the event of a data breach.
Subject Access Requests
The rules for dealing with subject access requests will change under the GDPR. Organisations will have just a month to comply from the date of receipt of the request. The data controller must provide a copy of the personal data free of charge and in an accessible electronic format. There will be different grounds for refusing to comply with subject access request, and manifestly unfounded or excessive requests can be charged for or refused.
Right to be Forgotten
In May 2014 the European Court of Justice ruled that search engines such as Google were data processors and that citizens had the right to ask that content referring to them be “forgotten”. The GDPR provides a more limited right to be forgotten in certain circumstances, such as where the data controller has no legal grounds for processing personal information.
Privacy by Design
"Privacy by design" appears as a central concept within the GDPR, and means data protection considerations being taken into account from the outset of designing a new process, product or service, rather than treating it as an afterthought.
Benefits to Businesses
The GDPR reduces 28 sets of different data protection laws to a single regulation with the aim of reducing compliance costs, complexity, risk and uncertainty over reporting for organisations who operate throughout the EU.
- Implement training programmes in your organisation so that employees are aware of the data protection compliance they must follow.
- Audit and document the personal data your organisation holds, noting from where it was obtained, with whom it is shared and for how long it has been held.
- Ensure mechanisms are in place within your organisation to ensure that, by default, only personal data necessary for each specific purpose is processed and the data is stored for no longer than necessary.
- Review all privacy notices used by your organisation and put in place a plan for changing these notices to comply with the GDPR.
- Consider whether your organisation must appoint a Data Protection Officer to comply with the GDPR.