General Data Protection Regulation – how will businesses be impacted?
Although the approach followed by this new regulation is fairly similar to existing data protection legislation, there are some material differences. It is essential therefore that businesses begin to take steps towards compliance. Here we explore those differences in the first of our articles on GDPR.
For businesses involved in processing individuals' personal data, it is important to understand key terms to help determine data protection responsibility. We use the following terms throughout this article, in line with the Information Commissioner's Office (ICO):
Data subject - the individual whom particular personal data relates to.
Data controller - determines the purposes for which and the way in which any personal data will be processed, and is usually an organisation.
Data processor - any person or organisation, other than an employee of the data controller, who processes the data on behalf of the data controller.
Data processing - collecting, recording or taking any action with the information/ data relating to the data subject.
The level of fines that organisations face due to a breach of the new regulation is far more considerable than before. A fine of up to 4% of annual worldwide turnover or 20 million euros (whichever is higher) can be imposed for more serious offences, such as a breach of the basic data protection principles or a breach of international transfer restrictions. A fine of up to 2% of annual worldwide turnover or 10 million euros (whichever is greater) will apply to less serious offences, such as a failure to maintain a data processing register.
Expanded territorial scope
All businesses, even those located outside the EU, must comply with the GDPR when they offer goods or services to individuals within the EU or monitor data subjects’ behaviour where their behaviour takes place within the EU. E.g. internet profiling.
Consequently, businesses established outside the EU that are not currently subject to the Data Protection Directive (the Directive) should consider whether any of their entities are subject to the GDPR.
Risk-based approach to compliance
Businesses are responsible for assessing the degree of risk that their processing activities pose to data subjects. Both controllers and processors must show that they are complying with the data protection principles. This greater focus on accountability can be seen in several provisions, such as:
creation of data processing registers
introduction of steps to ensure that data protection is incorporated by design. For example, when creating new products, services or other data protection activities.
introduction of steps to ensure that data protection is incorporated by default rather than being an afterthought. For example, data minimisation.
privacy impact assessment for high-risk processing
appointment of a data protection officer in certain circumstances.
An indicative example of this shift in approach is that data controllers must notify the Information Commissioner’s Office within 72 hours of becoming aware of a data breach that poses a risk to data subjects.
This also means that low-risk processing activities may face a reduced compliance burden.
New obligations on data processors
It is essential for your business to be able to determine whether you are acting as a data controller or as a data processor.
Currently, data processors are not under any direct obligations (other than via the data controllers) and the data controller is liable for any breach committed by its processor.
This is going to change as the GDPR imposes direct obligations on data processors including an obligation to implement appropriate security standards, ensure adequate recordkeeping and inform the data controller of any breach.
Whilst under the current legislation data processors are generally not subject to fines or other penalties, processors may now be liable to pay fines of up to 4% of the annual worldwide turnover or 20 million euros (whichever is greater). They will now also be exposed to private claims from individuals in the event of a breach.
The increased regulatory burden and exposure to risk may well result in a change to existing commercial agreements and we recommend that you have a dialogue with your existing suppliers. Negotiating data processing agreements may become more difficult and, if you are a processor, you may wish to review your existing data processing agreements to ensure that you have met your compliance obligations under the GDPR.
Mandatory Data Protection Officers
Under the GDPR, the role of the Data Protection Officer (DPO) will become mandatory in certain circumstances, primarily where the processing involves regular and systematic monitoring of data on a large scale or to the public sector, and become advisable for most large organisations.
Organisations that appoint a DPO must ensure that their DPO is properly involved in a timely manner in all issues relating to the processing of personal data and given adequate resources and training. In addition, a DPO must have a certain level of skill, such as a law degree, to perform the role.
The Directive distinguishes between ordinary consent for non-sensitive personal data and explicit consent for sensitive personal data. The GDPR requires a very high standard of consent which must be given by a clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the individual’s agreement to their personal data being processed, such as by a written statement.
If your business relies on consent, review existing practices to ensure that any consent obtained indicates affirmative agreement for the data subject, by ticking a box for example. The opportunity to withdraw consent must be made as easy for individuals as giving consent.
Data Subjects’ Rights
Individuals will have the rights to request that their data is deleted in certain circumstances. For example, when the data are no longer necessary for the purpose for which they were collected or the data subject withdraws their consent. This is called the right to erasure or the right to be forgotten.
If not already doing so, all businesses, large and small, should be assessing their interaction with personal data and how the GDPR will impact them and the sector in which they operate.