General data protection regulation – changes to EU data protection legislation

On the 14th April 2016, the European Parliament voted to adopt the new Data Protection Law for Europe called the General Data Protection Regulation.

Data protection will be significantly tightened and individual’s rights (including bringing claims) will be strengthened. Fines will raise to as much as 4% of global turnover of breaching the Law including a data breach.

The Regulation though past in 2016 is taking effect in 2018 and will impact all business sectors. It is important organisations start assessing how the Regulation will change their current Data Protection Regulation to clients obligations.

Since the mid 90’s there has been significant increase in information technology and fundamental changes to the way individuals and organisations communicate and share business.

Data has become an increasing valuable asset for any businesses and the volume of data is routinely collected and used by organisations which greatly exceeds what was imagined 20 years ago.

The explosive growth in social networking and big data analytics (among other things) has highlighted the fact that existing law is outdated and a new approach to data protection is required.

The Purpose of the Legislation

The purpose is to further harmonise national data protection laws across the EU, strengthen the obligations of those who use personal data and enhancing individuals rights.

The Key Changes

  1. Increased enforcement powers
  2. Maximum fines have now increased to 4% of annual worldwide turnover.

  3. New obligations of data processes
  4. The Regulation imposes obligation directly on the data processors who will also be subject to enforcement action. Processors will be subject to fines up to the same level as Controllers if they breach their obligations. Currently, Processors are generally not subject to fines or other penalties.

  5. Expanded Territorial Scope
  6. These changes mean that none EU business will be subject to the Regulation if they offer goods or services to data subjects in the EU or monitor data subjects behaviour in the EU.

  7. Data Privacy
  8. Businesses will be required to implement data protection by design i.e. when creating new products or services and by default in due data minimalization. Businesses will be required to perform data protection impact assessment to identify an address privacy risks in new products.

  9. Data Breach Notification Rules
  10. The Regulation requires businesses to note data breaches within 72 hours when there is a risk which affects individuals. If the Data Controller cannot do this, it will have to justify the delay to the Supervisory Authority (SA). If the breach is a potential for serious harm, data subjects must be notified without undue delay.

  11. The Right to Data Portability
  12. Regulation gives a data subject the right to obtain a copy of their personal data from the Data Controller in a common able used format. This will, in theory, enable data subjects to have their data transmitted directly from one service provider to another seamlessly.