WHAT YOU NEED TO KNOW ABOUT THE NEW EU DATA PROTECTION LAW

What is the GDPR? It’s the most significant development in data protection law in 20 years. Current EU data protection is based on the 1995 EU Data Directive. In January 2012, the European Commission first announced proposed revisions to the Directive. On December 17, 2015, the European Parliament and Council announced the text of the brand-new General Data Protection Regulation (GDPR). The GDPR has 99 articles and is over 200 pages long. Its adoption follows years of intense lobbying and represents a landmark moment in data protection and privacy both in Europe and around the world.

Effective Date. The GDPR becomes effective May 25, 2018. Until then, the Directive remains in effect. 

Highlights of the GDPR. Some of the major provisions of the GPDR include:

• Expansion of Scope.  Non-EU businesses will be subject to the GDPR if they 1) offer goods or services to EU residents or 2) monitor the behavior of EU residents. The GDPR may apply to any controller or processor of EU citizen data, regardless of where the controller or processer is located. New obligations are imposed on data processors and controllers.
• Data Breach Notification. The GDPR requires that a privacy regulator be notified of a data breach within 72 hours of discovery of the breach. Notice to individuals, without undue delay, may be required if there is a potential of serious harm. 
• Increased Fines for Noncompliance and Right to Sue. Currently, fines under the Directive vary by member states and are relatively low.  Under the GDPR, violations of certain provisions, such as consent requirements or cross-border data transfer restrictions, can trigger fines up to the greater of €20,000,000 or 4% of a company’s annual revenue. Individuals are also allowed the right to sue and obtain compensation from a noncompliant controller or processor.
• Data Protection Officers.  The GDPR will require controllers or processors to appoint a data protection officer where data processing is a “core” activity and where sensitive data is processed on a “large” scale. Those in the healthcare, insurance, pharma, biotech, and technology industries may need to hire additional data protection officers to comply.
• Data Protection Impact Assessment.  Businesses may be required to implement data protection by design (e.g., when creating new products, services or other data processing activities). Data protection impact assessments may be required to identify privacy risks in new products.
• Consent Requirements. Consent, as a legal basis for processing, may be harder to obtain. Consent must be freely given, specific, informed, and unambiguous. Businesses that rely upon consent to process personal data will need to carefully review existing practices. Consent will not be considered valid if a data subject has to give consent to processing for the provision of a service where the processing is not necessary to the actual performance of the contract.
• One Stop Shop. The GDPR’s intent is to harmonize data protection law within the EU. Under the Directive, a Data Processing Authority in a member state could exercise authority over any business operating within its territory. The GDPR creates a Supervisory Authority to act as lead and have jurisdiction over any complaints and violations.
• Children. Parental consent must be obtained if the concerned individual is under 16 (unless the member state passes a law to lower this age, but in any event the age cannot be lower than 13).
• Sensitive Data. More stringent requirements apply to sensitive data than under the EU Directive, including genetic, biometric, health, racial, and political data.
• Enhanced Notice and Information Obligations. Controllers must provide any information they hold about a data subject, free of charge, and within one month of request. More details may need to be disclosed to data subjects, both initially (e.g., in a privacy policy) and in response to access requests. Controllers may be required to allow individuals to obtain a full copy of their data in a standard format and possibly facilitate transfer of data to others.
• Right to be Forgotten. Individuals will have right to request that businesses delete their personal data in certain circumstances (e.g., where the data is no longer necessary for the purposes for which it was collected). Businesses may need to prepare for how they will comply with these requests. 
• Cross Border Transfers Still Restricted. As provided in the Directive, the transfer of personal data to a location outside the EU remains restricted. Personal data of EU residents can only be transferred to a country with “adequate “data protection. Unless and until the United States is deemed to have adequate data privacy protection, the transfer of data must look to options such as the Privacy Shield (still under review),  Model Contracts, Binding Corporate Rules, and other limited exceptions under the GDPR.

What Should a Business Do Today? Businesses with significant global operations must continue to comply with the Directive while, at the same time, preparing for the GDPR. 

May 25, 2018 will be here sooner than you think. Start preparing now. 

Perform a Risk Analysis. What risks does your business face under current business model?

Make Appropriate Changes. What steps can be taken to meet the new requirements?

Resource Planning. What resources are necessary to transition to the GDPR?

Budget. What additional costs may be incurred in compliance planning?

Team Approach. Engage all key stakeholders in planning including the legal, HR, finance, product development, and marketing functions.