EU General Data Protection Regulations - final draft

09 May 2016

Last week (4 May 2016), the final draft was finally published for the EU General Data Protection Regulations. Aaron Pearson, Director and Solicitor, picks out the most important bits:

Every organisation, both within and outside the European Union ("EU"), controlling and/or processing EU citizens’ personal data must ensure they comply with the provisions of the Regulation by 25 May 2018.

Notification:
Not later than 72 hours after becoming aware of it, unless the breach is unlikely to result in a risk to the protection of a data subject’s personal data (Article 33).

Where breach likely to result in a “high risk” to the protection of subject’s personal data, the controller must notify them without undue delay unless -
the data accessed is unintelligible to any person accessing it, e.g. it is encrypted; or the data controller has taken subsequent measures which ensure the high risk to affected data subjects is unlikely to materialise; or
it would involve disproportionate effort, in which case a public communication or similar measure can be utilised (Article 34).

The ‘one stop shop’
Where multiple breaches, all Members States involved will conduct joint operations (Article 62). The supervisory authority in the Member State where the controller or processor’s main establishment is located will act as the lead supervisory authority (Article 56) and will liaise with other supervisory authorities concerned to reach a consensus (Article 60).

Damages
Right to a judicial remedy if they CONSIDER rights under the Regulation have been infringed. Will come before either the courts of (1) the Member State where the controller or processor has an establishment or (2) their habitual residence (Article 79).
Compensation available for both material and non-material damage (Article 82).

Fines and penalties
Tiered approach for infringements:
less serious - up to €10m EUR, or in the case of an undertaking up to 2% of global turnover in the preceding financial year, whichever is a higher;
more serious (as identified) up to €20m EUR, or in the case of an undertaking up to 4% of global turnover in the preceding financial year, whichever is higher (Article 83).

International transfers of personal data:
Any transfer of personal data for processing outside of the EU can only take place if the provisions of the Regulation are complied with by any ‘outside’ controllers and processors (Article 44).

Global territorial reach:
The Regulation will apply to data controllers and processors outside of the EU processing EU citizens’ personal data and whose processing activities relate to the offering of goods or services or to the monitoring of data subjects’ behaviour (Article 27).

Consent:
Necessary to provide subject with full informed consent (at time of processing) to ensure fairness and transparency (Article 13).

Processors’ obligations:
Data processors must provide guarantees to data controllers that they will implement technical and organisational measures to meet the requirements of the Regulation and protect the rights of data subjects (Article 28).

Right to be forgotten:
Data subjects have the right to be forgotten in certain circumstances (Article 17).

Privacy by design:
Data controllers must implement appropriate measures demonstrating that processing is performed in accordance with the Regulation (Article 24).
Data controllers must conduct a data protection impact assessment where data processing gives rise to a high risk to the rights and freedoms of a person (Article 35).

What is clear, is that organisations MUST become compliant by 25 May 2018.

Encryption of personal data wherever possible should be a minimum requirement.

Final wording has settled on a risk-based approach to notification of a data breach. Only breaches likely to risk the protection of personal data belonging to subject require notification to the relevant supervisory body. The threshold for notification to data subjects directly is higher still requiring a ‘high risk’ to the protection of personal data.

The Regulation will give rise to an increase in data breach notifications. It is well established that the notification process and regulatory investigations can be expensive for organisations.

The scope for multi-Member State investigations suggests even higher costs.

Contact us now on 0151 659 1070 or e-mail This email address is being protected from spambots. You need JavaScript enabled to view it. for more assistance.