The General Data Protection Regulation

A new General Data Protection Regulation was published in the Official Journal on 4 May 2016. As it is a Regulation (as distinct from a Directive), it is directly binding on Member States without any requirement for implementation into national law. It entered into force in all EU Member States on 25 May 2018. 

It introduces a new sanctions regime and new requirements that will increase the regulatory burden on controllers and processors. The GDPR accompanies its cousin in law enforcement data protection matters, the Police and Criminal Justice Data Protection Directive.

The European Commission claims that the reform will boost legal certainty for businesses, with a single set of rules across the EU and a "one-stop-shop" approach to regulation meaning that companies will only have to deal with one single supervisory authority ("SA"). 

However, while the GDPR is designed to enhance individuals' data protection rights, the necessary corollary of stronger rights for data subjects is more onerous obligations for controllers, and, for the first time, processors.

Our work in Data Protection

Our advisers work with many of the leading names in the market to help them successfully implement their GDPR practices.

    Implications of Brexit

    The UK vote to leave the European Union has created uncertainty about how the GDPR will apply to the UK in the future. However, as the UK Government submitted a formal notice of an intention to leave the European Union (under Article 50 of the Lisbon Treaty) only at the end of March 2017, the conclusion of negotiations for that exit will almost certainly occur after the GDPR application date of 25 May 2018.

    This means that GDPR will have some direct application to the UK for a period of time while the arrangements for leaving the European Union are finalised.

    The ICO has also indicated that, in order to participate in the Single Market and data transfers from the European Economic Area, the UK will need to adopt data protection standards that are essentially equivalent to those in the GDPR in order to justify an adequacy decision; therefore, notwithstanding the Referendum result, we do expect some degree of reform to UK data protection law.

    Further, UK-based organisations that offer goods or services to EU-resident individuals or monitor their behaviour, or whose personal data processing activities are related to such offering/ monitoring, will in any event be directly subject to the GDPR regardless of whether it is in force in the UK.

    Key changes in the GDPR 

    • Administrative fines up to a maximum of €20 million or 4% of a business's worldwide annual turnover: The GDPR introduces a new regime of administrative sanctions in two tiers.  The lower tier is the greater of €10 million or 2% of a business's worldwide annual turnover of the preceding financial year and the higher tier is the greater of €20 million or 4% of a business's worldwide annual turnover of the preceding financial year.
    • Mandatory breach notification 72 hours (where feasible) and notification to affected individuals: Controllers will have to notify the SA of a security incident (unless it is a low risk incident or one not involving personal data) within 72 hours of becoming aware of it "where feasible".  Individuals will need to be notified where the occurrence of the incident could cause them serious harm.  A processor has to notify its controller "without undue delay".
    • Statutory liability for processors: Processors will have a statutory obligation to implement appropriate security measures when processing personal data on behalf of a controller, as well as to follow the instructions of the controller and ensure the reliability of its staff involved in processing the personal data. In addition, they have an express obligation to notify the controller of security incidents.  Processors may also be exposed to claims for financial damage or distress by individuals affected by the security incident, who may choose to sue whomever in the supply-chain is perceived to have the deepest pockets.
    • Minimum mandatory contractual provisions in data processing clauses/ contracts: The GDPR requires that prescriptive obligations are included in data processing clauses/ agreements, including flow-down of those obligations to sub-contractors, to which some service providers (eg cloud service providers) may have difficulty agreeing.
    • Territorial scope: Non-EU controllers and processors will be caught where the processing activities are related to the offering of goods or services to data subjects in the EU, or the monitoring of their behaviour.
    • Tighter rules on international transfers: Restrictions on transferring personal data outside the EEA (eg to data centres or accessing remotely from outside EEA) will generally be tightened up, noting that the higher tier of fine applies to breaches of the data export rules.  Under the GDPR, the current safeguards (namely existing model clauses and binding corporate rules) remain available, but self-assessment of adequacy will no longer be a route to compliance.
    • Expanded definition of personal data: 'Personal data' has been broadened to cover any information related to identified or identifiable living individuals, and there are specific definitions for genetic data and biometric data.  The GDPR also introduces a definition for 'anonymous information' and the concept of 'pseudonymisation' (ie data that can no longer be attributed to a specific data subject without additional information that is held separately and secured).
    • Greater transparency around data processing: More information will have to be provided to individuals about what personal data is being collected, for what purpose, for how long and to whom and to where it is being transferred.
    • Accountability measures: There will be stricter rules requiring controllers to put in place (and implement) policies and documented procedures which not only serve to ensure compliance with the GDPR but also to evidence that compliance. Full documentation, records, logging etc. will be important to help avoid or reduce fines, eg proving that proper consents were obtained where necessary. Controllers will also be obliged to implement "data protection by design and default", including security by default.
    • Right to be forgotten: Building on the existing right to erasure, whereby individuals can request that a controller deletes personal data that has been or is being processed in contravention of data protection laws, an individual will be able to request that their personal data be deleted and, where the personal data has been made public, that other controllers processing the personal data also erase links to, or copy or replication of, such personal data.
    • Data portability: This is a new right which entitles a data subject to obtain from the controller a copy of his data in a structured, commonly used and machine-readable format.  The data subject will even be able to request that the personal data is sent directly to another controller, where technically feasible. 
    • Data protection officers ("DPO"): Public authorities and private companies whose core activities involve large-scale monitoring or large-scale processing of sensitive data or data on criminal convictions must appoint a DPO.  Processors for such organisations may also have to appoint DPOs.  A DPO must operate independently and must not take instructions from his employer.
    • Data protection impact assessments ("DPIA"): Before commencing any processing likely to result in a high risk to individuals, such as profiling activities, controllers will have to carry out a review of that envisaged processing to assess the privacy risks to individuals, and identify measures to address these risks and demonstrate compliance with the GDPR.  Where the DPIA indicates that the processing would be high risk, in the absence of measures by the controller to mitigate that risk, the controller will be required to consult with the SA before being able to process that personal data under the GDPR. The SA will be able to suspend or even ban the processing.

    Out-Law / The General Data Protection Regulation