On the 15th December the European Commission struck an agreement with the European Parliament and the European Council over EU Data Protection reform. The aim of the new European General Data Protection Regulation (GDPR) is to harmonise the current data protection laws in place across the EU member states. Because the new law is a “regulation” instead of a “directive” means it will be directly applicable to all EU member states without a need for national implementing legislation. Enforcement of the new regulation is expected to start in 2018. Here I outline some of the key changes proposed so far that organisations should be aware of.
The EU Parliament has proposed that consent for processing of personal data must be “purpose limited”, i.e. consent must be obtained for one or more specific purposes. The EU parliament's chief negotiator Jan Philipp Albrecht said, "companies will not be allowed to divulge information that they have received for a particular purpose without the permission of the person concerned. Consumers will have to give their explicit consent to the use of their data." The burden of demonstrating that the legal standard of “consent” has been achieved will lie with organisations, so businesses should review whether its documents and forms of consent are adequate and check that consents are freely given and specific.
The draft Regulation proposes that Companies will have to report breaches that are likely to harm individuals to national authorities (the ICO in the UK) within 72 hours. A security breach report is likely to have to include the facts surrounding the issue, the effects of the violation and the subsequent actions taken.
In May 2014 the European Court of Justice ruled that search engines such as Google were data processors and that citizens had the right to ask that content referring to them be “forgotten”. It is thought that the GDPR will define a more limited right to be forgotten. Exactly what this will mean is still unclear and could depend on future rulings.
Given that the GDPR will enable EU national authorities to levy fines of up to 4 percent of revenues on firms breaking the law, it would be prudent for organisations to analyse the legal basis on which they collect and use personal data. By contrast to the existing Data Protection Directive, the proposed regulation now imposes some direct obligations on processors. Data processing procedures should be monitored and reviewed with an aim to minimise data processing and retention of data.
However the new proposed regulation could be attractive for multi-national businesses. The GDPR reduces 28 sets of different data protection laws to a single regulation, reducing compliance costs, complexity, risk and uncertainty over reporting for organisations who operate throughout the EU.
For further clarification of the new European General Data Protection Regulation (GDPR), or if you have any queries on data protection, please contact us today.