After four years of negotiations, the European Parliament and Council have finally reached agreement on the content of the proposed new General Data Protection Regulation. It is expected to be formally passed in March or April, and to come into force two years after that. The new Regulation is going to take a more risk-based approach than the current EU laws, and is reported to contain the following:
- Fines of up to 4% of global turnover for breach.
- New rules on self-reporting and dealing with data breaches – within 72 hours or sooner unless there is not likely to be a risk.
- Data controllers and data processors having to keep records of data protection activities, rather than having to register with the regulators as data controllers.
- A requirement to conduct privacy impact assessments where the plans are likely to result in a high risk to the data.
- A requirement to consult with the data regulators where the impact assessment suggests a high risk if there are no measures to mitigate the risk.
- Some data controllers having to appoint data protection officers, who will need to be trained on the data protection laws and a point of contact with individuals and others with advice on personal data processing and monitoring compliance.
- Where consent is used as a justification to process data, the consent must be freely given, specific, informed and an unambiguous indication of the data subject’s wishes.
- Better rights for individuals to enable data portability – ie the ability to get hold of data and pass to somewhere else, eg from one social network to another.
Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP, comments: “The 4% global annual turnover fine has certainly grabbed the biggest headlines and it will make organisations sit up and realise the bigger impacts of their failure to comply with the law. However, organisations also need to get to grips with the other changes such as data breach notification and consent rules.”
