5 things you need to know about the EU General Data Protection Regulation

By Gayle McFarlane of Cordery

What is this all about?

The EU is in the process of reforming its existing data protection rules. These reforms have been moving slowly through the EU legislative pipeline, but on 15 December the European Commission announced that a political agreement has been reached (although we’re yet to see the final text!). Even though the expected implementation date of these rules is still two years away, we strongly recommend that businesses prepare now as the reforms go well beyond an upgrade. Many deals signed or relationships entered into involving personal data are likely to be covered by the new rules and most businesses will need to start now to be ready in time.

The top 5 things you need to know about these new regulations:

  1. Regulation should be Europe wide (although we might need to keep an eye out for some exceptions to this)
  2. Fines will be substantial – current available draft suggests up to 20m EURO, or  4% of total worldwide annual turnover of the preceding financial year (whichever is the greater) for some key offences
  3. New system of data breach data protection authorities…
  4. … and you may have to tell the victims as well
  5. You may have to appoint a data protection officer if you fall within a defined category.

What is EU data protection?

The right to privacy is mainly regulated in the EU under a 1995 Directive that controls the processing of personal data. These rules place major compliance requirements on businesses inside and outside the EU.

Why is this change happening?

In January 2012 the European Commission introduced the proposed new Regulation with the overall objective of significantly overhauling the 1995 rules, the mantra being to catch up with the huge advances of the digital age. Other aims include a less administratively burdensome and costly regime for businesses, an extension and expansion of rights, and, making privacy by design the norm.

What new rules will there be?

There are in fact two proposed sets of new rules as follows.

  • Firstly, there is a Regulation, which sets out a general EU framework for data protection, ie to replace the 1995 Directive. A Regulation has been chosen because this format should be immediately applicable law once adopted – it will not require EU Member States to pass further legislation. This said, there still seems to be some opportunity for Member States to deviate from some of the rules. Further, Member States like the UK will still face legislative issues about what to do with aspects of their national data protection rules that are additional to the EU rules.
  • Secondly, there is a Directive, which specifically deals with protecting personal data processed in a law enforcement context. Most businesses do not need to be too concerned about the Directive but it forms part of a package with the Regulation, and because the Directive has been subject to procedural delay this will likely impact the timing and adoption of the Regulation.

Visit Cordery to find out more about these proposed changes and what effect they will have on your organisation.

Filed Under: Practice of Law

Relevant Articles
Area of Interest