It has finally happened. Like that train you are waiting for that keeps getting delayed but eventually arrives. The all-powerful trio comprising the European Parliament, the Council of the EU and the European Commission arrived at their destination after a journey of four years, and on December 15th, 2015, agreed the final text of the EU General Data Protection Regulation (GDPR). Once formally adopted in the coming weeks, the GDPR will create a completely new legal framework for the collection, use and sharing of personal information that will apply well beyond Europe.
At this stage we can only predict the impact of this framework and whether it will be effective at protecting our digital lifestyles, but the legislators’ ambition is unprecedented. With its unmatched level of complexity and strict requirements, the Regulation aims to take data-protection compliance to a new level.
So what are the practical differences between the new Regulation and the regime under the existing Data Protection Directive? In other words, how are the lives of global privacy professionals and the organisations they represent going to change as a result? Here are the highlights:
A single law of wide extraterritorial applicability—One of the original motivations for legal reform was the inconsistency of myriad national laws across the EU. On paper, having a single law will provide much needed consistency, but of course it will still be interpreted in accordance with national approaches and idiosyncrasies. The real geographical impact will be its extraterritoriality so that the moment a website places a tracking cookie on an EU-based device or an app that collects device usage data, you’re caught.
Tighter rules on consent—Relying on consent to justify the use of personal information remains central to the European approach to data privacy. The difference now is that it cannot be bundled with terms and conditions. Plus, if consent is presented as “take it or leave it,” it won’t be regarded as freely given.
Age of consent de-harmonisation—The requirement for parental consent for the use of personal information of under-16 year olds will be at the discretion of Member States. This will result in lack of harmonisation and the need for a country-by-country approach to compliance when teenagers’ data is involved.
Biometric data is sensitive data—Genetic data and biometric data, which are used to identify someone, are now “sensitive personal data,” and subject to stricter rules.
More detailed transparency obligations—This is something that has been in the pipeline from day one. Many of us who cut our teeth drafting detailed privacy notices will need to dust off old skills to meet the new legal requirements in a meaningful way—an extra challenge for those involved in the Internet of Things and interface-light devices.
RTBF and data portability—Individuals’ rights have all been given a makeover. There are very wide grounds to exercise the new “right to be forgotten,” and a completely new right to data portability. That means a greater need to be ready to honour people’s increased level of control.
Accountability 2.0—This new agreement lays out a whole new set of rules around the accountability of controllers, the severity of which will depend on the privacy risks for individuals. These include obligations to implement compliance policies, data protection by design, data protection by default, record keeping obligations, data protection impact assessments and to engage in prior consultation with data protection authorities in high-risk cases.
Data processor obligations—There will now be legal obligations on data processors for the first time. The most radical being that a processor may not sub-contract the service without the consent of the controller.
Data controller obligations—The text mandates extremely detailed requirements for data controllers to impose contractually onto vendors acting as data processors. From a day-to-day compliance perspective, this will be one of the toughest challenges, particularly when engaging cloud services or any of the off-the-shelf solutions on which every business relies to communicate and store data.
Breach notification—Organizations will have to provide data breach notification to data protection authorities within 72 hours of spotting an incident. Three days is just so tight! However, the obligation does not apply if there is no risk for individuals. But if the risk is high, you need to notify the individuals as well.
Data protection officers—This is big news for the privacy profession. The new GDPR will require mandatory data protection officers for controllers and processors for the public sector and big data processing activities. This will apply to all types of organisations irrespective of their size. Will this be the answer to unemployment in Europe?
Voluntary certification—There will be new voluntary data protection certification schemes for controllers and processors.
International data transfers—Restrictions on international data transfers of course remain, but there is a whole new menu of options to legitimise those transfers—in addition to model clauses—including BCRs (available to controllers and processors), ad-hoc agreements, codes of conduct and certification.
One-stop shop light—An ecosystem for pan-European supervision by data protection authorities. This will be coupled with the establishment of the new European Data Protection Board, which will become a sort of “Article 29 Working Party on steroids.” The obvious outcome is that EU regulators will demand much more attention.
Big time fines—There will potentially be very serious consequences for non-compliance. These include the right to compensation for breaches for material or immaterial damage, and huge fines of up to four percent of the total annual turnover of a company.
All of that leads to what I believe will be the crucial difference between the role of privacy before and after the Regulation: If you had not been asked before, prepare yourself to present to the Board and explain why this matters for the bottom line, as more than ever this is set to become a business-critical issue.
This entry originally was published on the International Association of Privacy Professionals’ (IAPP) Privacy Perspectives blog.