Following four years of negotiation, agreement has been reached between the various European Union (EU) institutions (the Commission, the Council and the EU Parliament) on reform of data protection laws to be applicable across all EU member states, applicable from 2018.
At present, although the existing directive of 1995 requires all member states to have provisions for the protection of personal data, this is not particularly prescriptive and it was left to each state to legislate as it felt appropriate. Consequently, data protection laws differ widely across the EU. The new General Data Protection Regulation aims to address this and will comprise one set of laws applicable uniformly across all member states.
Key provisions of new regime
The new Regulation must now be formally ratified by the EU Parliament which is expected this month. The key provisions of the agreed draft of which you should be aware are:
- Breaches of protection (for example, by hacking) must be reported immediately to the regulatory authority in each country.
- The steps taken by a company to comply with the Regulation must be documented.
- Businesses handling significant amounts of sensitive personal data, or which monitor consumer behavior, will be required to appoint a dedicated data protection officer.
- The right to be forgotten – for personal data to be deleted either when it is no longer current or on request of the data subject.
- The right to data portability across service providers.
Companies based outside the EU must comply with the Regulations when offering services within the EU.
The agreed draft also contains a tighter definition of consent than is currently contained in the UK Data Protection Act 1998 (albeit that this definition was always present in the underlying directive of 1995). This means that any consent to the processing of personal or sensitive personal data in the UK must be freely given, specific, informed and unambiguous once the new Regulations are in force. The requirement that consent be freely given is likely to be difficult to achieve in an employment context as noted by previous guidance from the Information Commissioners Office on this topic.
Enforcement: new much tougher penalties
Enforcement will also change significantly and become a far greater business risk as under the new regime fines of up to 4% of turnover may be imposed for breaches.
What should we do now?
These far reaching changes, and the much greater business risk for non-compliance, become applicable from 2018. Businesses should now begin to assess how they need to change their policies, systems and processes to be compliant.
We will report further when the Regulation is available in final approved form.
Should you require assistance in assessing how to revise your data protection policies to meet the revised rules, please contact us on +44 (0) 203 051 5711 or email us.
Content is for general information purposes only. The information provided is not intended to be comprehensive and it does not constitute or contain legal or other advice. If you require assistance in relation to any issue please seek specific advice relevant to your particular circumstances. In particular, no responsibility shall be accepted by the authors or by Abbiss Cadres LLP for any losses occasioned by reliance on any content appearing on or accessible from this article. For further legal information click here.
Circular 230 disclosure
To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this article (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.