The Regulation (261-page / 1.31MB PDF), together with a new Data Protection Directive for police and criminal justice authorities, had already been endorsed by national governments within the EU late last week. The legislation was finalised with the European Parliament's vote on Thursday morning.
Data protection law expert Kuan Hon of Pinsent Masons, the law firm behind Out-Law.com, said organisations should prepare for major changes that the new Regulation will deliver.
"Organisations are going to have to review and change their data processing contracts – both controllers and processors will have an interest in this – particularly as service providers who process personal data will be directly subject to data protection obligations and liabilities for the first time under the Regulation," Hon said. "This includes obligations in relation to security and record-keeping. There are detailed prescriptive requirements for terms that have to be in controller-processor contracts."
Hon said that the introduction of a stiffer sanctions regime will make data protection a "boardroom issue". She said the fines that could be imposed bring the potential penalties that could be levied for data protection breaches more into line with the penalties that can be served for a breach of EU competition rules.
"The fines that could be served by data protection authorities are potentially huge," Hon said. "The Regulation deals with fines in two tiers – the maximum fine could total 4% of a business' worldwide annual turnover of the preceding financial year, or €20 million if higher."
A new data breach notification framework will also apply to both controllers and processors for "personal data breaches". Not every breach will need to be notified to regulators or affected customers, but Hon said companies could face fines for failing to notify when they should have. They should therefore "put in place systems and processes" in advance so as to facilitate the notification of breaches in the event such an incident occurs, she said. Generally, notification of breaches by controllers to supervisory authorities would need to occur with 72 hours of a breach, according to the Regulation.
The Regulation also places a new "emphasis on accountability", Hon said. Businesses will need to be able to "prove their compliance" such as through showing regulators their records and logs, with adherence to approved certifications or codes being “an element” to demonstrate compliance. Having the right systems and processes in place and ensuring staff training on the new requirements will be important, she said.
In a statement the European Commission said the Regulation would benefit businesses "greatly".
"The reform will boost legal certainty for businesses, with a single set of rules across the EU," the Commission said. "Thanks to the one-stop-shop, companies will only have to deal with one single supervisory authority – rather than the 28."
"With the new rules, non-EU companies will have to apply, when offering their services to customers in the EU, the same rules as EU companies; thus creating a level playing field. The new rules are also future-proof: technologically neutral and fit for innovation and big data analytics. The new rules encourage privacy-friendly techniques such as pseudonimysation, anonymisation, encryption and data protection by design and by default," it said.
The precise date on which the Regulation will come into force is not yet know. The Regulation must first be published in the Official Journal of the EU. It will enter into force 20 days after that happens but will not apply until two years after that date.