Big changes are underway in the world of data protection within the European Union. At the end of December, the European Commission approved the final version of the General Data Protection Regulation (GDPR).
The GDPR will have a significant and wide-ranging impact on businesses, imposing new compliance obligations and threatening significant sanctions for non-compliance. According to experts, the new rules will impact every entity that holds or uses European personal data both inside and outside of Europe.
This is the first overhaul of the regulations since 1995 which, as one might guess, were quite outdated given the technological advances over the last two decades. The regulations will affect all 28 European Union member states and will replace inconsistent laws that the European Union member states had previously implemented to comply with the 1995 directive.
The GDPR sets out the rights of individuals, giving them more control over their personal data. It requires companies to inform individuals in unambiguous terms that their information will be processed and/or collected and state the specific purpose for such processing and/or collection. If the information will be used for multiple purposes, the individual must be informed of each and every purpose. Consent can no longer be implied but rather must be explicitly given. The company’s request for consent must be clear and concise and may not be presented in an unusual context. Further, companies will be required to delete data if an individual revokes his or her consent.
The GDPR also sets out general obligations for companies that are responsible for processing data. These include the obligation to implement appropriate security measures based on the risk involved in the data processing operations the company performs. Companies will be also required to notify individuals within 72 hours of a data breach involving data that was not encrypted. Further, larger companies or companies that handle significant amounts of sensitive data will be required to appoint a Data Protection Officer whose role will be to ensure, on an independent basis, that the provisions of the GDPR are being followed within the company.
Another key component of the GDPR is that it not only gives rise to increased compliance requirements, it also provides for significant financial penalties for non-compliance. Specifically, the GDPR provides for administrative fines of up to €20 million or 4 percent of a company’s global revenue, whichever is greater.
The GDPR is expected to become law in 2018, meaning that there is no time to waste for companies to assess the new regulations and to put the proper measures in place to ensure compliance.