After three years of negotiations the European Union (EU) Parliament, Council and Commission have finally reached agreement on new European data protection rules. The draft General Data Protection Regulation (GDPR), which will replace the 1995 EU Data Protection Directive, is expected to be formally adopted by Spring 2016. It will then come into force two years later. At this point it will become binding law in all European Union member states without the need for national regulation to implement it. The GDPR will therefore harmonize data protection rules across Europe.
Under the new rules companies will no longer be required to notify the data protection authorities of any data processing activities being undertaken by them. Instead they will be required to maintain a significant amount of internal documentation on their data processing activities and controls. They will also be required to implement data protection ‘by design and default’ and conduct impact assessments where the use of new technologies may pose a high risk for the privacy of individuals.
Companies will also have to show that consent has been freely and unambiguously given by data subjects. This consent must be explicit when it relates to sensitive data. Data breaches must also be notified to the Data Protection Authority within 72 hours, and affected data subjects must also be notified in a number of specific circumstances.
Furthermore, the new data protection rules will have a wider territorial reach than the current rules. The GDPR will apply not only when personal data is being processed in the EU, but also when personal data is processed about EU residents — even if the organisation processing the data is not itself in the EU. Moreover, under the GDPR companies could face fines of up to 4% of its total worldwide annual turnover for the most serious breaches of the regulation.
With only two years to comply with the new rules companies should begin reviewing their data protection policies and processes as soon as possible.