GDPR just in – New EU data protection regulation agreed

Almost four years in the making, a political agreement on the so-called General Data Protection Regulation (GDPR) has finally been reached, report both the European Parliament and the Commission. The agreement marks the most fundamental reform of privacy legislation in two decades and will have wide-ranging effects on all businesses operating in the EU.

What is the GDPR?

The GDPR, as the name implies, is a regulation covering the general (and also quite specific) aspects of data protection in the EU. Running to almost 200 pages, it defines a number of key terms; lays down the principles relating to personal data processing; sets out the rights of data subjects and the obligations of controllers and processors; regulates transfer of personal data outside the EU; specifies the applicable remedies, liabilities and sanctions; and so on and so forth.

Three of the pivotal themes of the GDPR include:

• giving individuals more control over their personal data,
• placing new requirements on businesses controlling and processing those personal data and
• empowering national authorities to impose strict sanctions, including hefty fines, on businesses failing to meet those requirements.

New rights for individuals

One of the publicly expressed aims of the GDPR is to "allow people to regain control of their personal data". In practice, this means that your company must provide your customers and users with more information – and, perhaps more importantly, with clearer and more understandable information – on how their data are processed.

Moreover, the new right to data portability means that you must facilitate the transfer of your customers' and users' data to a new service provider, should they wish to do so, and the reconfirmed "right to be forgotten" means that you must delete data that a customer or user no longer wishes you to process, unless you have legitimate grounds for retaining those data.

One of the most controversial issues in the draft was the conditions applicable to consent given by a child. The negotiators finally converged keeping 16 years as a common ceiling, but individual member states are allowed to foresee lower age limits.

More obligations on businesses

Under the GDPR, companies must notify both the national supervisory authority and their users of serious data breaches. In addition, if your company processes sensitive data on a large scale or collects information on many consumers, you will have to appoint a specific data protection officer who will then need to be involved in all issues which relate to the protection of personal data.

One of the buzz phrases associated with the GDPR is the accountability principle. Businesses controlling personal data are responsible for and, what is more, must be able to demonstrate compliance with the principle. This involves, among other things, implementing data protection by design and by default, maintaining records of processing activities and, where necessary, carrying out data protection impact assessments.

The GDPR indicates a strong will by the lawmakers to have European rules apply on European soil: also companies based outside the EU will have to comply with the GDPR when offering services in the EU.

Sanctions for non-compliance

The new rights for individuals and the growing number of obligations on businesses controlling or processing personal data will mean increasing requirements for your day-to-day operations in terms of both organisational measures and IT systems, but also in terms of contracts and contracting practices.

To make sure that businesses actually attend to these new requirements, the EU legislators have decided to empower national supervisory authorities to impose strict sanctions, including hefty administrative fines, on businesses failing to meet them.

In future, if your company breaches EU data protection rules, you could be fined as much as 4% of your annual turnover. Supervisory authorities will also have the corrective power to impose temporary or definitive limitations on processing, including an outright ban.

What happens next?

The GDPR is scheduled for a confirmation vote in the European Parliament's Civil Liberties Committee on Thursday, 17 December 2015. If the EU member states give a green light to the agreement in the Council, the European Parliament and the Council will formally adopt the final text of the GDPR in the beginning of 2016.

The GDPR will become applicable two years after that time – that is to say, in the beginning of 2018. As a regulation, it will apply directly in all EU member states.

We will be closely monitoring the formal adoption of the GDPR and will report back once the official text has been published.