Data protection reforms to apply from 25 May 2018

Out-Law News | 05 May 2016 | 12:36 pm | 1 min. read

New EU data protection laws will apply from 25 May 2018.

The General Data Protection Regulation (GDPR) was published in the Official Journal of the EU (OJEU) earlier this week after being finalised by EU law makers last month.

Data protection law specialist Kathryn Wynn said that businesses should start preparing now for the reforms if they have not already done so, due to the major changes that the Regulation will deliver.

"Organisations should put together a GDPR task force to map out and follow through on an implementation plan," Wynn said. "The task force should have mixed representation from across the business, from the IT and HR teams, legal and compliance officers and a senior manager with links into the board." 

"Organisations should review existing supplier contracts and conduct an audit of what personal data they hold, how it is being used, to whom it is being disclosed and to where it is being transferred. Privacy notices may also need to be revised and it is also prudent to develop a new template privacy impact assessment for any upcoming projects that involve high risk data processing," she said.

"In addition, a further review of processes for handling subject access requests will be necessary to ensure that organisations can meet a more challenging deadline for response under the Regulation. Many businesses will also need to establish procedures for notification of data breaches for the very first time," Wynn said.

The Regulation contains wide-ranging changes to EU data protection laws. Organisations will be under a greater obligation to undertake privacy impact assessments and to consider privacy when designing new products and services. Many organisations will need to appoint a dedicated data protection officer. Updated rules on data transfers will also apply.

In addition, organisations will be subject to tougher data security rules and a new data breach notification framework. Data protection authorities will be able to impose fines of €20 million or up to 4% of global annual turnover, whichever is the greater, where businesses are responsible for serious breaches of the Regulation.

Last week the UK government said that the scope organisations will have to re-use personal data under the GDPR could be clarified in new guidance from the Information Commissioner's Office (ICO).

In February the Article 29 Working Party, a body representing data protection authorities from across the EU, including the ICO, said a raft of new data protection guidance will be issued to organisations to help them comply with the GDPR. Priority will be given to new guidance on data portability, the notion of high risk data processing and data protection impact assessments, certification and data protection officers, it said.