On 14 April 2016, the European Parliament approved the General Data Protection Regulation (GDPR). The GDPR will replace the currently valid Data Protection Directive from 1995, which has been transposed into the national legislation of each EU Member State. The GDPR will apply in all the EU Member States directly without any need to implement it through national law.
The GDPR will enter into force 20 days after its publication in the EU Official Journal, which is expected in the upcoming weeks. Its provisions will apply in all EU Member States two years after the date of its entry into force, likely between May and July 2018.
The GDPR includes many new provisions with a significant impact on the personal data processing activities and procedures of companies. Some of the key amendments compared to the current rules include:
- Heavy fines for violations of data protection regulation: for minor errors up to 2% and for major errors 4% of global company revenues for the previous year. In the case of corporate groups, fines can be calculated on the basis of their global consolidated revenue.
- Companies located outside the EU must also comply with EU data protection requirements if they process the personal data of data subjects from the EU or direct their business activities to the EU.
- Companies must compile and maintain documentation related to data processing activities. A data protection impact assessment should be conducted for processing that involves a heightened risk level. On the other hand, notification obligations and the requirement to seek authorisation from the local DPA for processing personal data will be abolished in many cases.
- Companies must employ data protection by design and by default in their operations, services and products.
- New rules on notifying data breaches. Data breaches that are likely to impact the rights and freedoms of individuals will need to be reported to the local DPA and in some circumstances also to data subjects themselves.
Despite its direct effect, the GDPR contains numerous exceptions where local member state laws can specify GDPR regulation and the European Commission can adopt relevant implementing acts. Therefore, the need to assess Member State laws will still be necessary.
In order to comply with the new requirements by 2018, we recommend drawing up a compliance plan. Considering the heavy potential fines, the need for this planning phase should not be underestimated.