The new EU General Data Protection Regulation (GDPR) [1], approved by the EU parliament on 14 April 2016, will become fully enforceable throughout the EU in May 2018. The GDPR replaces the Data Protection Directive 95/46/EC, aiming to strengthen data protection and to further harmonize data privacy laws across the EU. From May 2018, a single set of rules will apply to all EU member states, without requiring adoption from their legislatures.

The key changes introduced by the GDPR to the pre-existing regulatory framework on data protection are mainly the following:

Extended scope of application
The regulation applies if the data controller (organisation that collects data from EU residents) or processor (organisation that processes data on behalf of data controller) or the data subject (person) is based in the EU. Furthermore, the Regulation, making a clear claim to extraterritoriality, also applies to organisations based outside the European Union, if they collect or process personal data of EU residents.

The increased territorial scope of the GDPR is undoubtedly the biggest change put forward by the GDPR to the regulatory system of data protection in the EU. Previously, the territorial applicability of the data protection directive was somewhat ambiguous, referring to data process ‘in context of an establishment’ and it had created a number of issues in court cases in which the processing of personal data of EU data subjects had taken place by a controller or a processor not established in the EU. It is now clear that the GDPR will apply to the processing of personal data by controllers and processors in the EU regardless  of whether the actual processing takes place in the EU or not.

One-stop-shop: Independent Supervisory Authority (SA)
Each member state will establish an independent Supervisory Authority (SA) to hear and investigate complaints, sanction administrative offences, etc. Where the processing of personal data takes place in the context of the activities of an establishment of a controller or a processor in the Union, and the controller or processor is established in more than one Member State, the supervisory authority of the main establishment of the controller or processor shall be competent for the supervision of the processing activities of the controller or the processor in all Member States, thereby acting as its lead-authority. The lead authority will act as a one-stop-shop, which will supervise all the processing activities of that business throughout the EU. Data subjects will be able to file a complaint with their local Supervisory Authority, which will then work with the lead Supervisory Authority on behalf of the data subjects. The European Data Protection Board (EDPB), which will replace Article 29 working group, will coordinate the SAs and will ultimately decide which is the lead- authority when this is unclear or disputed.

Data Protection Officer (DPO)
According to the GDPR, a) public authorities(except for courts or independent judicial authorities when acting in their judicial capacity), b) private organizations whose core activities involve regular and systematic monitoring of data subjects on a large scale  and c) private organizations that engage in large scale processing of sensitive personal data need to appoint data protection officers.

DPOs are persons with expert knowledge of not only data protection law and practices, but also IT processes and data security, who will assist the controller or processor to monitor internal compliance with the GDPR. The DPO, who may be a staff member or an external service provider, will report directly to the highest level of management. The requirement to appoint a DPO is new for many EU countries and has been criticized by some for its administrative burden.

The conditions for consent have been strengthened under the GDPR. Consent must be clear and provided in an intelligible and easily accessible form, using clear and plain language.  Data controllers must be able to prove “consent” (opt-in) and consent may be withdrawn. For the processing of non-sensitive data “unambiguous” consent will suffice, while the lawful processing of sensitive data requires explicit consent.

Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater). This is the maximum fine that can be imposed for the most serious infringements.

Controllers have the duty to implement appropriate technical and organizational measures in order to meet the requirements of the Regulation and to protect the rights of data subjects (art. 23). This effectively means that data protection is designed into the development of business processes (privacy by design) and that privacy settings must be set at a high level by default (privacy by default) in order to ensure that all data processing complies with the GDPR. Processes must be subjected to privacy impact assessments and be well-documented.

Data Subject Rights
Under the GDPR there is a clear expansion of the rights of the data subjects:

Data Breach Notifications
The new regulation requires all organizations to report a data breach to Data Protection Authorities within72 hours of detection. Notification to data subjects is also required, unless the personal data has been rendered unintelligible (e.g. encrypted) or there is not a high risk of harm to the data subject’s rights and freedoms.

Right to erasure
This right entitles the data subject to have the data controller erase or cease further dissemination of his/her personal data.

The conditions for erasure include withdrawal of consent or the data no longer being relevant to the original purpose for processing (art.17).

Right to access
Data subjects are entitled to know whether a data controller has processed their personal data and for what purpose. Furthermore, the controller shall provide a copy of the personal data, free of charge, in an electronic format.

Data Portability
Data subjects have the right to transfer their personal data from one electronic processing system to and into another, without being prevented from doing so by the data controller (art. 20)

Getting ready for the GDPR…
Data protection has entered a period of unprecedented change. As a result, organizations face many challenges. The implementation of the GDPR will require comprehensive changes to business practices. In view of the strict requirements and the potential fines, businesses will need to increase both their focus and their investment on data protection. Overall, the new Regulation, with its expanded territorial reach, grants data subjects stricter control over their own data and it stresses the importance of secure data-handling. In order to ensure compliance with the GDPR, organizations need to appoint DPOs and they need to review thoroughly their consent forms, contracts with data processors and all internal policies.

[1] Regulation (EU) 2016/679

Edited by Tania Kyriakou