GDPR: The Good, the Bad and the Neutral
25 May 2017
Author: Aisling O'Hare
Current EU data protection law is based on Directive 95/46/EC (the “Directive”), which was introduced in 1995. Since that time, there have been significant advances in information technology as well as fundamental changes in the ways in which individuals and organisations communicate and share information.
After many years of work, the EU Parliament’s vote, on 14 April 2016, gave final approval for the new EU General Data Protection Regulation (GDPR). From Spring 2018, the GDPR will significantly change EU data protection law, strengthening individual’s rights, extending territorial scope, increasing compliance obligations and expanding enforcement powers.
Whilst the implications of the GDPR will vary by sector and organisation, our third article in this series attempts to categorise in general terms whether the changes heralded by the GDPR will have a positive, negative or neutral impact.
The GDPR introduces a single-legal framework that applies across all EU Member States. This means that businesses will face a more consistent set of data protection obligations from one EU Member State to the next, which should aid overall compliance.
The risk-based approach to compliance
The GDPR establishes a risk-based approach to compliance, with businesses being required to assess the degree of risk that their processing activities pose to individuals. Low-risk processing activities face a reduced compliance burden. On the other hand, documented data protection impact assessments will be required for high-risk processing.
The ‘One-Stop Shop’
Currently, a Data Protection Authority (DPA) may exercise authority over businesses established in its territory or otherwise falling within its jurisdiction. Under the GDPR, where a business is established in more than one EU Member State, the supervisory authority (SA) of the main establishment of the business will act as the lead authority for data processing activities that have an impact throughout the EU and will co-ordinate its work with other SAs.
The GDPR introduces the concept of 'pseudonymised data', i.e. key-coded or enhanced data. Pseudonymous data will still be treated as personal data but will help organisations comply with the GDPE and reduce the risk of non-compliance. The ‘key’ necessary to identify individuals from the pseudonymised data must be kept separately and subject to technical and organisational measures to ensure non-attribution to an identified or identifiable person.
Binding Corporate Rules (“BCRs”)
BCRs are binding data protection corporate policies and programmes that are used to lawfully transfer personal data globally within a group of companies. The GDPR formally recognises BCRs albeit that they are still subject to SA approval.
Increased enforcement powers
Currently, fines under EU Member State law vary, and are comparatively low - the UK’s maximum fine is £500,000. The GDPR significantly increases the maximum fine to €20 million, or 4% of annual worldwide turnover, whichever is greater. In addition, national data protection supervisory authorities will be co-ordinating their supervisory and enforcement powers across the EU Member States and that’s likely to lead to a more pronounced enforcement impact and risk for businesses.
Expanded territorial scope
Non-EU businesses will be subject to the GDPR if they: (i) offer goods or services to EU residents; or (ii) monitor the behaviour of EU residents. Many non-EU businesses that were not required to comply with the Directive will be required to comply with the GDPR.
Consent, as a legal basis for processing, will be harder to obtain. Under the GDPR the individuals’ consent must be freely given, specific, informed and unambiguous. Consent may not be valid if it is bundled with other matters, part of the general terms of conditions, or there is a “clear imbalance” between the parties. Organisations must demonstrate that consent was given. Failing to un-tick a pre-ticked box does not constitute valid consent under the GDPR.
Data protection by design and by default
Businesses will be required to implement data protection by design and by default They will also be required to perform data protection impact assessments to identify privacy risks.
Data Protection Compliance Programmes
Organisations will have to implement and be able to demonstrate to the SA that they have comprehensive data protection compliance programmes, with policies, procedures and compliance infrastructure. For example, maintaining a record of processing activities.
Data Protection Officer
Organisations must appoint a data protection officer if they are a public authority or body, if their core activities require regular and systematic monitoring of individuals on a large scale, if their core activities include processing certain types of data on a large scale, including data relating to criminal convictions and offences, or if required by national law.
New obligations of processors
Unlike the Directive, there are direct compliance obligations for processors under the GDPR and they may be liable to pay fines of up to €20 million, or 4% of annual worldwide turnover, whichever is greater. The GDPR also requires detailed provisions in third-party processing contracts. This will have an impact on both controllers and processors, as they identify their processor agreements, review their commercial and legal positions for future agreements and renegotiate existing agreements.
Strict data breach notification rules
The GDPR will require businesses to notify the SA of data breaches within 72 hours. If the breach could cause serious harm, individuals will have to be notified without undue delay. Click here to hear more about your notification obligations.
The ‘right to be forgotten’
Under the GDPR, individuals have the right to request that their personal data is deleted in certain circumstances. As a result, businesses will need to devote additional time and resources to ensuring that these requests are appropriately addressed. In particular, businesses should consider how they will give effect to the right to be forgotten, as deletion of personal data is not always straightforward.
The right to object to ‘profiling’
Under the GDPR, individuals have the right to object to profiling on grounds relating to their particular situation. ‘Profiling’ is defined broadly and includes most forms of online tracking and behavioural advertising, making it harder for businesses to use data for these activities. Businesses that regularly engage in profiling activities will need to consider how to ensure they can demonstrate consent from individuals.
The right to Data Portability
The GDPR gives individuals the right to obtain a copy of their personal data from the controller in a commonly-used format and have it transferred to another controller. This is likely to impact consumer-based businesses greatly and make customer retention more difficult.
Some concepts will change
The GDPR introduces a number of new concepts and approaches as detailed below. It is also intended to be future-proof, forward looking, and as technology-agnostic as possible.
Some concepts will stay the same
Many of the existing core concepts under the Directive are broadly similar in both the Directive and the GDPR and as such, I haven’t commented on them further in this article.
For more information on any of the matters detailed above or for general advice on or assistance with the new GDPR, please contact Dawn McKnight [email protected]. Dawn is a Partner at Carson McDowell and is head of the firm’s Commercial Practice.