Data Protection – a change on the horizon?
At the end of last week, after three years of discussions, the EU Parliament voted in favour of new EU data protection regulation. The General Data Protection Regulation (GDPR) will replace the Data Protection Directive 1995 from 2018. Once the translation process is complete (likely in two-three months’ time), it will be published in the EU Official Journal, and come into force 2 years after that.
A 2 year run-in period from now seems like a long time away but the change that this regulation will bring about could be extensive
What you need to know
- the GDPR is a much more prescriptive and expansive set of obligations, which will bring with it greater restrictions on staff data-processing overall and less flexibility;
- it will catch data controllers and processors outside of the EU;
- In certain circumstances, companies may need to appoint their own data protection officers, particularly those involved in processing of personal data as part of their core activities which involve regular or systematic monitoring or processing on a large scale of sensitive personal data (e.g. related to health, racial or ethnic origin) and personal data relating to criminal convictions and offences;
- A data subject’s consent must be freely given, specific, informed and unambiguous. Companies will have to show that consent was given and more detail will have to be provided;
- The GDPR sets much tighter standards upon the nature of data employers can retain and for how long. Record retention periods will need to be identified.
There will be a tiered approach to penalties and depending on the breach, maximum fines could be between 2% – 4% of an undertaking’s total worldwide annual turnover in the previous year.
What we can do for you
Companies will need to be aware of these changes and alive to issues such as the fact that Subject Access Requests may become more frequent but also more difficult to administer, (as the ability to charge a fee is removed)’ the timescales for responses become more rigid and some of the exemptions commonly relied upon currently disappear.
Handling of sensitive personal data is also likely to be more difficult –especially data relating to criminal records. Record keeping will also increase significantly to ensure compliance with the GDPR.
We can help familiarise you with the GDPR and the obligations that may apply to you and how to plan for the introduction of this new regime.