The European Parliament has formally approved the EU's general data protection reform package. The current EU rules are contained in the Data Protection Directive (“DPD”) which dates back to 1995. The reforms will update and harmonise data protection procedures, address new technological developments and bolster enforcement across the EU. As an EU regulation the new laws will be directly applicable across the EU without the need for implementing legislation.
The reform package consists of two instruments:
• The General Data Protection Regulation (“GDPR”) which overhauls the data protection rules (and will have most impact on businesses).
• A new Data Protection Directive for the police and criminal justice sector.
There are several critical differences between the GDPR and the DPD. The GDPR will enhance rights for individuals, including:
• providing them with easier access to their personal data;
• providing better information about what happens to their personal data once it is shared;
• a "right to be forgotten" where individuals can have their personal data deleted when the data controller has no legitimate grounds for retaining it;
• a right of data portability whereby individuals can transfer their personal data to another service provider;
• a right to object to profiling.
Where a data security breach occurs, under the GDPR data controllers must notify the national data protection authority without undue delay and, where feasible, no later than 72 hours after having become aware of it, unless the breach is unlikely to result in a risk for the rights and freedoms of the individuals concerned. The GDPR will also remove the requirement for companies to submit an annual registration with a national data protection authority, instead requiring them to maintain detailed documentation showing data processing compliance.
As regards non-compliance, the GDPR will enable national authorities to impose fines of 2% or 4% of annual worldwide turnover (depending on the infringement). In addition, the GDPR introduces direct compliance obligations for data processors and they may be liable to pay fines for non-compliance.
The GDPR comes into force in two years and is likely to require organisation-wide changes for many businesses, to ensure that personal data is processed in compliance with the new requirements. Such changes may include redesigning systems that process personal data, updating data protection policies, establishing a framework for accountability, renegotiating contracts with third party data processors and restructuring cross-border data transfer arrangements. The Information Commissioner's Office (“ICO”) has encouraged organisations to begin preparing for the GDPR now, rather than delaying until the outcome of the EU "Brexit" referendum on 23rd June 2016, which would mean losing valuable compliance preparation time.