This spring the European Parliament and the Council adopted the General Data Protection Regulation (GDPR) which will replace the Data Protection Directive from 1995. The GDPR is binding in its entirety and directly applicable in all Member States and will become effective in a year and a half already, i.e. in May 2018.
The data protection reform aims to give citizens more control of their personal data in the current internet era, establish a regulation adapted for the digital commonwealth and create a uniform level of data protection across the EU. The GDPR is likely to have an extensive impact as the new principles apply to all EU businesses and organisations who process personal data. The GDPR is also obligatory for such entities that are not established in the EU but are processing personal data of data subjects who are in the EU and whose processing activities are related to the offering of goods or services in the EU.
What are the implications of the data protection reform?
Several updated principles set up in the GDPR can face businesses with the challenge of having to implement major changes to their current procedures and systems. Some examples of data processors’ reformed obligations that might give an idea of the extent of the changes the businesses will be faced with:
- The personal data processors will have an obligation to notify the supervisory authorities and in certain cases also data subjects of personal data breaches that may adversely affect the rights and freedoms of the data subject.
- The processing of personal data must be structured and systematic, and the set of personal data collected on a data subject must be transferable from one electronic processing system into another.
- An obligation to designate a data protection officer where required by the nature and scope of personal data processing, e.g. where the core activities of the entity require regular and systematic processing of personal data or processing certain specific personal data on a large scale.
- A personal data processor has to ensure that personal data processing activities are documented and in cases where the processing is likely to result in a high risk to the rights and freedoms of natural persons, the processor must carry out a data protection impact assessment.
In addition, an entity may find it complicated to erase personal data in cases where the purpose of data processing has ceased and the data subject does not wish the data to be processed in future. Also, the obligation to ensure and, if necessary, prove the existence of a data subject's explicit, informed and freely given consent where required may turn out a real challenge.
In order to achieve compliance with the EU regulations in the Member States, wider powers will be granted to Member States' data protection authorities with the GDPR and heavy financial penalties will be established for noncompliance with the GDPR which may range from up to 2% of the annual worldwide turnover of the company for minor breaches to up to 4% for major breaches or 20,000,000 euros, whichever is greater.