After four years of intense negotiations, EU institutions have finally closed the deal on the General Data Protection Regulation (GDPR), which was introduced by the EU Commission on January 25, 2012 as part of its data protection package.
The EU Parliament approved the GDPR in its plenary session on April 14, 2016 in the regulation’s second reading (see the Parliament’s Resolution here). This was the final and highly anticipated step in the GDPR’s bumpy adoption process, a few days after the Council voted on the GDPR in its first reading on April 8, 2016. There were no substantive deviations by the Council from the version unofficially agreed to on December 15, 2015 at the last trilogue meeting. But it took a lot of effort to get there, and the GDPR will certainly be remembered as one of the more debated pieces of legislation in the EU’s legislative history.
There is no final official release of the instrument yet, but the expectation is that it will be published in the EU’s Official Journal (OJ) in May 2016. For now, the reference document is the version voted on by the Council, available here. The GDPR will enter into force 20 days after its publication in the OJ, and become fully applicable two years after that date. This means companies have until May 2018 to reach compliance.
The GDPR will entail major changes for businesses and individuals alike. Key changes include:
- The form of a regulation, which is directly applicable in all EU member states (i.e., it is a copy-paste into the local jurisdiction, contrary to a directive which must be transposed by Member States), meaning that the same rules will apply across the EU. However, there are a number of open areas where Member States may add rules (e.g., whether to impose the nomination of a data protection officer in circumstances other than those set out by the GDPR, in employment matters, etc.), so there will still be local variations.
- The territorial reach of the GDPR, which will apply not only to companies established in the EU, but to all companies (including vendors, suppliers, and other processors) that target the EU market and consumers.
- Tougher conditions around consent, including that access to a service cannot be conditional upon consent to the processing of data, if these data are not needed to receive the service.
- Increased rights for individuals, such as stronger access rights (including in terms of what information individuals are entitled to receive), the right to portability (i.e., to move data from one company to another in a commonly used format), and to ask companies to restrict using data or erase them altogether.
- Increased regulatory enforcement, including administrative fines of up to EUR 20 million or 4% of an undertaking’s worldwide annual turnover, and powers to issue reprimands, impose bans on data processing, suspend transfers, perform joint investigations with other regulators, etc.
- Tougher conditions on using consent (and other types of derogations, such as contractual necessity) to transfer data outside of the EU. However, new transfer solutions are available (e.g., Binding Corporate Rules are explicitly recognized, and codes of conducts or certification schemes have been added).
- New compliance burdens, such as recordkeeping obligations, the need to appoint a data protection officer (DPO) with a whole set of duties and powers and a specific status (including the need for independence, and protection around dismissal), and performing privacy impact assessments before rolling out new data processing solutions.
- Breach notification requirements towards regulators and individuals.
- Requirements applying now directly to processors (e.g., appointing a DPO, notifying the controller in case of a data breach, overcoming cross-border transfer restrictions, etc.) and increased exposure (regulators can directly audit the processor, and the processor may incur direct liability).
- A revamped liability regime, whereby if more than one controller or processor, or a controller and a processor, are involved in the same processing, they can each be held liable for the entire damage towards individuals. A controller or processor may only escape liability if it can prove that it is not in any way responsible for the event giving rise to the damage, which is a very strict test.
- New items added to the content of data processing agreements (i.e., agreements which need to be in place between a controller and its processor), including obligations of deletion or return of data at the end of the processing, allowing or contributing to its auditing by the controller, etc.
- A one-stop-shop mechanism for regulatory oversight, whereby the regulator of the main establishment of a company established in several EU member states shall be competent (although local regulators keep their competence over local establishments in a number of circumstances).
At this stage, we highly recommend that companies launch compliance programs to ensure they can reach the 2018 deadline for compliance. These programs could include actions such as:
- Assessing whether your company now falls within scope of the GDPR, especially if you have no physical presence in the EU;
- Reviewing internal processes to meet requirements on individuals’ rights (e.g., how to grant access to data, who’s in charge, or whether data are in a standard format that can be exported to another company) and data breach notification requirements (updating or setting up incident response plans);
- Implementing a records system to address the documentation requirement;
- Setting up or revising privacy impact assessment checklists and procedures;
- Ensuring a DPO is appointed as required;
- Reviewing customer-facing materials to comply with new consent and transparency requirements;
- Reviewing and amending agreements with processors; and
- Raising in-house awareness, through training so all stakeholders understand the upcoming requirements and risks.
See also the 12 steps checklist of March 2016 published by the UK ICO, which outlines steps that organizations can take now to prepare for the GDPR.
For a more detailed analysis of the GDPR and what it entails for businesses, see our client alert.
1 The package also comprises a Directive on the processing of crime-related data by competent authorities, which received less attention than the GDPR and is not as directly relevant to companies.