Preparing for a new data protection framework
The General Data Protection Regulation answers the call by Europeans for uniform data protection rights across the European Union, regardless of where their data is processed or stored. Due to the complexity of obligations in the GDPR, organisations are already beginning to take the appropriate measures to comply.
The EU GDPR applies to organisations whose data processing activities relate to offering goods or services to, or monitoring the behaviour of, EU data subjects, even if the organisation itself doesn’t reside within the EU. This is currently not the case with existing regulations.
Accountability and privacy by design
Data controllers will have significant accountability obligations to demonstrate compliance, including documentation; conducting a data protection impact assessment for more ‘risky’ processing; and implementing data protection by design and by default. Privacy by design is a key requirement of the regulation. In certain cases, data controllers and processors must designate a Data Protection Officer as part of their accountability programme.
Data subjects must give explicit and demonstrable consent concerning their personal data, either by statement or a clear affirmative action which signifies agreement. Importantly, they can withdraw consent at any time.
Data breach notification
Data controllers are required to notify the Data Protection Authority (DPA) within 72 hours (in most cases) of learning that a breach has occurred. What constitutes a reportable data breach is laid out in the full text of the GDPR.
Role of data processors
Under the new regulation, data processors will have direct obligations, including implementing technical and organisational measures to protect private data and performing data breach notifications.
The GDPR contains a series of tiered penalties for breaches. It also gives the DPAs power to impose fines for some infringements of the regulation. The sanctions are substantial; however, there are some mitigating actions and preparations organisations can take to reduce sanctions.
Removal of notification requirement
In some situations, data controllers will no longer be required to notify or seek approval from the DPA. Instead, data controllers will need to put into place effective procedures and mechanisms focusing on high risk operations (such as implementing new technologies) and conduct a data protection impact assessment.
International data transfers under the GDPR are essentially unchanged from previous regulations.
Binding corporate rules
Binding corporate rules will be recognised for controllers and processors, allowing for intra-group international data transfers. They must be legally binding, apply to every member of the group and expressly confer enforceable rights on data subjects.
A key element of the GDPR is the concept of a ‘one-stop shop’ where organisations will only need to deal with one Lead DPA where the organisation has its main establishment. Previously, the organisation would need to deal with multiple DPAs in each country where it had a presence.
Data protection board
An independent European Data Protection Board will replace the Article 29 Working Party. It will comprise the EDP Supervisor and senior representatives of the national DPAs. It will be responsible for issuing opinions and guidance, ensuring consistent application of the GDPR and reporting to the Commission.
Right to be forgotten
Individuals will have the right to require that their personal data is erased without undue delay by the data controller under certain circumstances. Additionally, data controllers will have the obligation to take reasonable steps and inform third parties that the individual has requested that their data be erased.