In May 2018, the General Data Protection Regulation will enter into force within the European Union. The innovations will be quite complex and have to be strictly observed by companies (including US businesses) that wish to avoid high fines.
Those are the most important changes:
1. The General Data Protection Regulation (GDPR) extents its territorial scope. This means that also non-European companies may fall under the requirements of the GDPR, making it the first global data protection law. It applies to
– all companies worldwide that target European markets and in this context process personal data of European Union citizens (regardless of where the processing takes place) and
– those that process data of European citizens in the context of their European establishments.
2. The GDPR tightens the rules for obtaining valid consent to process personal information. Valid consent is one of the two possibilities to justify data processing, the other being legal justification. Companies therefore will have to update their consent management.
3. The GDPR extents the documentation obligations for companies and changes the burden of proof. As a consequence, companies will have to prove that they fulfill their obligations under the GDPR to the data protection offices (DPOs).
4. The GDPR introduces mandatory privacy impact assessments (PIAs). The GDPR requires data controllers to conduct PIAs where privacy breach risks are high to minimize risks to data subjects. This means that before organizations can begin projects involving personal information, they will have to conduct a privacy risk assessment and work with the DPOs to ensure they are in compliance as projects progress.
5. The GDPR introduces a data breach notification requirement. The GDPR harmonizes the various data breach notification laws in Europe and is aimed at ensuring organizations constantly monitor potential breaches of personal data. The regulation requires organizations to generally notify the local data protection authority of a data breach within 72 hours of discovering it. This means organizations need to ensure they have the technologies and processes in place that will enable them to detect and respond to a data breach. For many organizations, this could require quite a bit of training. It may also require making changes to internal data security policies and how these are promoted in the organization to ensure data breaches are properly understood and will be followed easily.
6. The GDPR expands liability beyond the data controllers. In the past, only data controllers were considered responsible for data processing activities, but the GDPR extends liability to all organizations that touch personal data. The GDPR also covers any organization that provides data processing services to the data controller, which means that even organizations that are purely service providers that work with personal data will need to comply with rules such as data minimization.
7. The enforcement of the GDPR is backed by significant fines of up to € 20m or 4% of annual global turnover, whichever is higher.
8. GDPR is – as a regulation – directly applicable as of 25 May 2018, without any grace period.
If you have any further questions regarding the upcoming changes in the General Data Protection Regulation, please do not hesitate to contact our experienced attorneys.