The EU General Data Protection Regulation ("GDPR") has today been published in the Official Journal of the European Union, firing the starting gun on the two year implementation period.
The GDPR will come into force on 25 May 2018. From that date, data controllers and processors will have to be compliant with all the new rules in relation to the personal data they are holding, even if the data was collected prior to that date. This is likely to be a complex task. Therefore, if your organisation hasn't yet started planning for the GDPR, it should consider doing so now.
As previously reported, the headline points from the GDPR are as follows:
- Maximum fines for data protection breaches of 4% of global annual turnover;
- Mandatory reporting of serious security breaches to regulators and affected individuals;
- Stricter rules on obtaining consent, with companies no longer able to rely on "opt-outs" to justify data processing;
- New rights for individuals, including a "right of erasure" to require companies to delete their personal data;
- Direct obligations placed on data processors for the first time, including specific new requirements for existing and new data processing contracts;
- New overarching principles of "privacy by design" and "privacy by default", requiring organisations to build in data privacy protections from the start in all new products and services;
- Companies which process sensitive data on a large scale, or which monitor individuals on a wide scale, will need to appoint an expert, independent and senior Data Protection Officer;
- Companies based outside the EU will be subject to the GDPR when offering goods or services in the EU, or monitoring individuals in the EU; and
- Pan-European business will have a lead data protection regulator in the EU country where they are mainly established (the so-called "One Stop Shop").