The clock has started ticking!
On 14 April last the EU adopted the wording for the General Data Protection Regulation (GDPR). This will have a significant impact on an organisation's data protection practices and obligations and will replace existing data protection legislation.
While businesses have a 2 year transitional period to comply, there is a lot to be done particularly if an organisation already has areas of weak compliance with the existing rules.
The key changes being brought in through GDPR are:
- broader territorial reach
- wider definition of personal data
- increased sanctions - up to €20m or 4% of global turnover
- significant notification obligations in the event of a data breach - within 72 hours
- increased obligations on data processors
- one stop shop for data protection compliance and supervision
- significant obligations on demonstrating compliance
- certain requirements to appoint data protection officers
- significant obligations on obtaining consent
- individual rights on moving their data to other service providers
It is now essential that GDPR compliance is put on the leadership agenda. Organisations should carry out gap analysis to identify where their main areas of compliance weaknesses are. They then need to prepare project plans on plugging those gaps. It is likely that early fines will be doled out to show organisations that Data Protection authorities across the EU are serious about enforcement.
The GDPR will enter into force 20 days after its publication in the official journal which is estimated to happen sometime between May and July 2016. This means organisations will need to be compliant by May/July 2018.
Are you getting ready?!
In practice, the EU hopes the GDPR will give citizens in all 28 member states more information on how their personal data is processed, presented clearly and understandably. They will gain the right to know as soon as possible if their personal data is ever compromised, while the “right to be forgotten” has been clarified and strengthened. It will also become easier for people to transfer data between service providers, with the introduction of a right to data portability. The EU also said it saw benefits for businesses, with companies having only to deal with one supervisory authority across the EU, as opposed to one in each member state in which they operate. It estimated this could save €2.3bn per annum. Non-EU companies wishing to do business in the union will also be subject to the laws.