General data protection regulation – changes to EU data protection legislation
On the 14th April 2016, the European Parliament voted to adopt the new Data Protection Law for Europe called the General Data Protection Regulation.
Data protection will be significantly tightened and individual’s rights (including bringing claims) will be strengthened. Fines will raise to as much as 4% of global turnover of breaching the Law including a data breach.
The Regulation though past in 2016 is taking effect in 2018 and will impact all business sectors. It is important organisations start assessing how the Regulation will change their current Data Protection Regulation to clients obligations.
Since the mid 90’s there has been significant increase in information technology and fundamental changes to the way individuals and organisations communicate and share business.
Data has become an increasing valuable asset for any businesses and the volume of data is routinely collected and used by organisations which greatly exceeds what was imagined 20 years ago.
The explosive growth in social networking and big data analytics (among other things) has highlighted the fact that existing law is outdated and a new approach to data protection is required.
The Purpose of the Legislation
The purpose is to further harmonise national data protection laws across the EU, strengthen the obligations of those who use personal data and enhancing individuals rights.
The Key Changes
- Increased enforcement powers
- New obligations of data processes
- Expanded Territorial Scope
- Data Privacy
- Data Breach Notification Rules
- The Right to Data Portability
Maximum fines have now increased to 4% of annual worldwide turnover.
The Regulation imposes obligation directly on the data processors who will also be subject to enforcement action. Processors will be subject to fines up to the same level as Controllers if they breach their obligations. Currently, Processors are generally not subject to fines or other penalties.
These changes mean that none EU business will be subject to the Regulation if they offer goods or services to data subjects in the EU or monitor data subjects behaviour in the EU.
Businesses will be required to implement data protection by design i.e. when creating new products or services and by default in due data minimalization. Businesses will be required to perform data protection impact assessment to identify an address privacy risks in new products.
The Regulation requires businesses to note data breaches within 72 hours when there is a risk which affects individuals. If the Data Controller cannot do this, it will have to justify the delay to the Supervisory Authority (SA). If the breach is a potential for serious harm, data subjects must be notified without undue delay.
Regulation gives a data subject the right to obtain a copy of their personal data from the Data Controller in a common able used format. This will, in theory, enable data subjects to have their data transmitted directly from one service provider to another seamlessly.