This is the first of a number of blog posts leading up to my keynote at the upcoming Computerworld conference on Data Security in Copenhagen 27 January 2016. Within the next 4-5 weeks I will try to cover in more depth the about 8 specific topics mentioned below. Although, the presentation is meant for a Danish audience, it is relevant for other jurisdictions that are reached by EU regulation of personal data protection.
After long negotiations in the so-called trilogue, on December 15 the legislative institutions of EU agreed on the final version of the General Data Protection Regulation. The General Data Protection Regulation must be formally approved after which it will be published in the beginning of 2016. The General Data Protection Regulation will enter into force 2 years and 20 days after it is officially published. Thus, the expected effective date is the first quarter of 2018.
On a general level, the main consequences of the General Data Protection Regulation are (a) that processors of personal data will have more extensive responsibilities, (b) that individuals will get extended rights and (c) that the national data protection agencies will have better and more severe sanctions. The specific requirements are reviewed on a overall level below.
In the future, the General Data Protection Regulation will apply for all processors of personal data. Companies outside of the EU must also comply with the regulation if they offer products or services to EU citizens. This is a new feature in relation to the scope of the regulation.
The General Data Protection Regulation will cover the same types of personal data as the previous data protection regulation, but with the addition of genetic (e.g. DNA) and biometric (e.g. fingerprints) data. Further, the concept of “pseudonymous data” is introduced where the data and the associated information that help to identify the persons behind the data are kept separated.
According to the General Data Protection Regulation, the consent from children will be regulated separately from adults. Consequently, children under the age of 13 are not allowed to give consent to processing of personal data in connection with online services. Companies with products and services targeted at children must keep this in mind.
In the future, a duty to report will be introduced, and accordingly, serious breaches of the data security must be reported to the national data protection agencies within 72 hours.
In the future, companies and authorities must make sure to comply with both the data protection regulation and also document this by having internal procedures and privacy policies in place – the so-called Privacy By Design and Privacy by Default. Further, it is required that the so-called “Privacy Impact Assessments” are carried out in a number of situations where the processing of personal data induces special risks on the individuals.
Another novelty is the requirement of a so-called DPO (Data Protection Officer) that must be associated with both companies in the public sector and companies in which the main activity is processing of personal data or in which a lot of personal data is processed. Consequently, this is not a general requirement, but it is important to determine if it is a requirement that applies to your organisation.
Companies and authorities have previously had a duty to inform the data subject, and henceforward this duty will be more comprehensive, giving in-depth information to individuals regarding the processing of their personal data and their rights according to the regulation.
“The right to be forgotten” will be cemented in the General Data Protection Regulation. However, the data controllers are still allowed to process personal data even if an individual requires that the data is “forgotten” if the data controller has a legitimate reason.
A new right to data portability is introduced. In the future, individuals who have submitted personal data to a data controller will have the right to obtain a copy of these personal data in a standard format or require that the data are transferred to another data controller if it is technologically possible.
The General Data Protection Regulation will introduce a so-called one-stop-shop mechanism according to which, as a rule, each company will only be in contact with one supervisory authority. To comply with this, the supervisory authorities within the EU must co-operate to a significantly greater extent than today, as well as secure that the decisions and guidelines issued by the authorities are harmonised.
As mentioned above, the enforcement of the regulation will be tightened. Among others, the level of fines has increased significantly. Contrary to the previous insignificant fines, fines up to EUR 20,000,000 or 4 % of the global yearly turnover may be issued, depending on which is highest.
In relation to international transfers, please note that the General Data Protection Regulation does not mention the invalid Safe Harbor agreement which instead is handled separately from the regulation.
It is important that you and your organisation have the new regulation in mind and consider your need to prepare for the new regulation, among these you should make the necessary compliance checks and incorporate suitable solutions that fit into your organisation and at the same time comply with the new requirements of the regulation.
(Thanks to my colleagues Amalie Langebæk and Kamilia Mondrup at Bird & Bird Copenhagen Office for help with writing this blog post.)