On May 4, 2016, the EU General Data Protection Regulation (GDPR) was published in the Official Journal of the European Union. The GDPR will replace the current EU Data Protection Directive and will be directly applicable in all EU Member States. Companies will have time until May 25, 2018 to implement all required steps necessary to comply with the new regulation.

 

The GDPR contains strengthened and new rights for data subjects, such as a right to be forgotten or a right to data portability, and new obligations for data controllers and data processors.

 

Here are some of the key changes:

 

The territorial scope has been expanded to include data controllers and (new) data processors that are established in the EU. Importantly, also companies that are NOT established in the EU, but offer goods or services to, or monitor the (online) behavior of data subjects in the EU, fall under the scope of the GDPR.

 

Controllers must demonstrate their accountability to comply with the GDPR. This includes the obligation to:

 

• Maintain a documentation of processing activities
• Establish policies and guidelines
• Appoint a data protection officer (DPO) in certain cases
• Implement security measures
• Implement data protection by design and by default and
• Conduct privacy impact assessments

 

Accountability may be demonstrated by various means, such as with Binding Corporate Rules (BCR), certifications or codes of conduct.

 

The requirements for obtaining consent have been strengthened. Consent must be freely given, specific, informed, unambiguous and explicit for sensitive personal information and must be revocable at any time. It must be clearly distinguishable from other matters when requested in the context of a written document and it must be provided in an intelligible and easily accessible form, using clear and plain language. Also, consent will not be valid if there is a clear imbalance between the data subject and the controller, which may be the case for example in the employment context. Importantly, a controller may not make a service conditional upon consent, unless the processing of personal data is necessary for that specific service.

 

Data processors have now direct statutory obligations under the GDPR. This includes the obligation to:

 

• Maintain records of processing activities
• Implement appropriate data security measures
• Cooperate with supervisory authorities
• Assist controllers to comply with the GDPR
• Comply with cross-border data transfer restrictions
• Notify controllers in case of a data breach
• Become a joint controller, if data is processed beyond instructions of the controller
• Enter into a written data processing agreement with the controller
• Appoint a DPO in certain cases

 

Data controllers must notify supervisory authorities about data breaches without undue delay and, where feasible, within 72 hours after having become aware of the breach. Where the breach is likely to result in a high risk to individuals’ rights and freedoms, such individuals must be notified about the breach without undue delay.

 

Violations of the GDPR may result in fines up to EUR 10 m or 2% of the annual worldwide turnover for example for failures to comply with the general obligations, to appoint a DPO or to implement security measures and privacy impact assessments. More severe failures, for example to comply with the basic privacy principles for data processing, such as consent requirements, data subject rights or data transfer restrictions, may result in fines up to EUR 20 m or 4% of the annual worldwide turnover.

 

What should companies do now?

 

Companies subject to the GDPR should start now to implement appropriate measures to comply with the GDPR in two years’ time by taking the following steps:

 

• Get familiar with the GDPR and the obligations applicable to your organization
• Conduct an assessment of the current privacy management practices within your organization and of the gaps in respect to the new requirements under the GDPR
• Identify measures that must be taken to comply with the GDPR and define an action and time plan for the remediation
• Watch out for guidelines and opinions that will be published by national Data Protection Authorities and the Article 29 Working Party in the coming months

 

How can we help you?

 

We are happy to assist organizations in getting a better understanding of the requirements under the GDPR applicable to them; conducting assessments and gap analyses, providing guidance on remediation and developing necessary policies, guidelines and processes to ensure compliance with the GDPR and minimizing risks.

 

You can find the final text in various languages here.