Data protection laws are based upon the Data Protection Directive that was introduced in 1995. Given the vast technological changes that have since taken place in the last twenty years’ the time has arrived to update these laws. The new General Data Protection Regulation (“Regulation”) is being finalised with a view to being introduced in 2016. The Regulation will come into force in early 2018 – two years from the date it is finally adopted.
The Regulation will harmonise data protection laws in a single framework to apply across all EU Member States. As a result, the uniformity in laws across Europe means more certainty for businesses.
laws in a single framework to apply across all EU member states. The uniformity in laws across Europe means more certainty for businesses.
Businesses located outside of the EU offering goods/services to EU consumers or monitoring consumer behaviour will need to consider whether their businesses will be affected by the compliance obligations under the new Regulation and whether they may have to comply with the new Regulation. Final details are awaited.
Especially relevant is the meaning of consent. Consent will be considered as given to data controllers by way of a clear, affirmative action that establishes a freely given, specific, informed and unambiguous indication. This indicates the data subject giving permission for data controllers to process personal data, e.g. written or oral statements. Gaining consent involves all processing activities for the same purpose, whereas multiple purposes will require consent for each purpose.
Fines have increased significantly with maximum fines of €20 million or in case of an undertaking 4% of the businesses’ annual worldwide turnover whichever is greater. Supervisory authorities must ensure that the administrative fine imposed is effective, proportionate and dissuasive.
Strict breach notification measures will require all businesses to inform the supervisory authority of all data breaches that present risk to the rights and freedoms of data subjects. Breach notification must be without undue delay and, where feasible, within 72 hours.
The new Regulation proposes that data subjects affected by the breach must be notified by data controllers. The only instances this does not happen is where it is impossible or disproportionate in effort, e.g. where the breach could inflict serious harm.
This is data that is key coded or enhanced. Pseudonymisation ensures that when processing personal data because specific data subjects will not be recognised unless additional information is provided. Businesses are required to separately store key coded data and implement technical and organisational measures. Doing this will prevent attributions to an identifiable data subject.
Profiling includes most forms of online tracking and behavioural advertising which might make it harder for businesses to use data to carry out these activities.
As a result, data subjects must not be subject to decisions, by data controllers, solely based on automated processing including profiling.
Importantly, data subjects will be entitled to request that data controllers erase all personal data relating to them. This includes data that has been made public on the internet and is no longer necessary for the purposes for which they were processed. Therefore if the data subject objects to the processing of data and withdraws consent the continuation of processing will be unlawful.
Individuals will have the right to request and obtain a copy of all the personal data from the data controller in a structured and commonly used format; this also means data subjects can transfer their personal data to another data controller.
Due to this, in practice, it will be easier for data subjects to transfer data from a business to a competitor’s business.
Maintenance of detailed documentation recording processing activities in accordance with the Regulation (Article 28).
Businesses must also appoint Data Protection officers who must be appointed by data controllers and processors. Doing so will provide advice and monitor compliance with the new Regulation (Article 35).
Where processing is carried out by a public authority, where the core activities include processing operations which require regular monitoring or the core activities consist of large-scale processing of special categories of data; a data protection officer must be appointed.
For further information on planning and implementing effective and cost-efficient compliance, please do not hesitate to contact us.
Consequently. As a result. Because.