The last few months have seen an increase in activity around all things data protection. In late December 2015 the European Council, Commission and Parliament finally reached agreement on new data protection rules agreeing a final draft of the new General Data Protection Regulation ("GDPR"). The GDPR will be published in OJEU at some point in the next few months, and from that point we will have two years to prepare before it comes into force at some point in mid-2018.
What are the key changes and what should we do?
- Joint Liability for Data Processors
Under the GDPR, controllers and processors will be jointly liable for data protection breaches. This is a significant change from the current regime, and this will have consequences for all data processors.
It is important for organisations to revisit their contractual relationships to ensure that this new controller/ processer potential liability is properly addressed. A good starting point will be your key infrastructure contracts.
- Data Protection Officer ("DPO")
It was anticipated that all organisations would be required to have a DPO; however, after lengthy debates on the topic, this requirement has been curtailed. Larger organisations that regularly gather data on individuals or those that process large amounts of sensitive personal data will be required to appoint a DPO, as will most public sector bodies. This is one of the areas where member states have been given discretion to introduce broader DPO requirements. As you can see from this paper, the GDPR will create a significant increase in compliance obligations and as such it would be advisable to appoint a dedicated individual responsible for preparing your business for the GDPR and then managing your increased compliance obligations post 2018, even if not required to by statute.
- Increased Fines & Breach Notifications
The final draft of the GDPR contains a fine structure that is even greater than what was first anticipated. It has introduced a two tier structure with maximum fines of up to €20 million, or 4% of global annual turnover, for breaches of specific provisions such as a breach of the international transfer provisions. A second, lower tier of €10 million, or 2% of global annual turnover, applies for certain administrative and security breaches, such as failure to maintain processing records in accordance with the GDPR.
As well as these increased fines the GDPR contains mandatory requirement to notify breaches to the regulator within 72 hours of the breach and in certain circumstances individuals will also need to be notified of the breach if it is likely to result in a high risk for the rights and freedoms of the individual.
At this stage one of the most important things for all organisations to do is to assess the personal data that it currently processes. Organisations then need to ask themselves why they are processing this data and whether they need to process it. This is something that already exists under the Data Protection Act but is not currently a priority.
Organisations will also need to implement incident management plans to ensure they can deal with their obligations.
Whilst the GDPR has not gone so far as requiring express consent for all data processing it will significantly change the current consent regime. It still states that consent must be unambiguous; the change is around the purpose for which you have obtained consent. If you have collected data for a specific purpose the individual's express consent will be required if you then want to process the data for a different purpose. Express consent will be required to process sensitive personal data.
The next two years will be a busy time as we all prepare for the GDPR coming into force. We will begin to get a clearer picture of how each member state plans to enforce the GDPR as regulators and governments begin to release statements on the final draft. It is also advisable to keep up to date with the topics the ICO are discussing on their website as these are clearly important points that they will be focusing on in the next few years.