General Data Protection Regulation, what’s all the fuss about?
Feb 21, 2017
As you may have heard, the EU General Data Protection Regulation comes into force on 25 May 2018. Why do you need to worry about this? Surely it will just be something that lawyers earn extra fees out of, right? Unfortunately it is a little more important to you than that and will require positive action from all companies to ensure compliance. When the Regulation comes into force in May 2018, you will be required to have certain policies and procedures in place to protect Personal Data. The Regulation does not just deal with legal elements to be negotiated when entering into contracts.
Amongst other provisions, either newly inserted or updated in the Regulation, data processors (service providers that process personal information on behalf of other businesses) will now have direct obligations for the first time. Previously, the data controller (business that receives personal information from its clients and instructs service providers) was responsible, and therefore liable, for any breaches of data protection laws. With these direct obligations comes direct liability for data processors, meaning that systems and processes need to be put in place to avoid potentially hefty fines, which may be levied by the National Data Protection Authorities (“NDPA”).
Updated liability provisions are particularly important for data processors, who would under the current data protection laws not be directly liable as the data controller would be responsible for its actions. Under the Regulation, data processors will now take direct liability for any breach by it of its obligations under the Regulation.
It is also worth noting that regardless of the outcome of the UK’s Brexit negotiations, primarily whether the UK will continue to be bound by EU Laws, the Information Commissioners Office has made clear that the provisions of this Regulation will be mirrored in UK law.
See below some of the key updates:
Liability Provisions. NDPAs will now have increased enforcement provisions allowing them to levy fines on data controllers and data processors, who take on joint and several liability under the Regulation, on the basis of a 2 tiered system, dependent on the severity of the breach:
(i) greater of (a) 2% of annual worldwide turnover or (b) €10 million for less severe breaches such as violations of internal record keeping, data security notifications or data breach notifications; and
(ii) greater of (a) 4% of annual worldwide turnover or (b) €20 million for more severe breaches such as a breach of the data protection principles, violations of conditions to data subject (individual or company to whom the personal information relates) consent, data subject rights or international data transfers.
Actions taken by each of the data controller and data processor in the breach of the Regulation will be taken into account, as will any actions taken to mitigate the loss suffered by a data subject, by an NDPA when determining the level of the fine.
Privacy by Design/by Default and Impact Assessments. The Regulation puts the obligation on data controllers to undertake internal assessments in relation to risks posed to data subjects through data processing systems for proposed new product or service offerings. In addition to these internal assessments, Companies may have to undertake a more formal ‘Impact Assessment’ where the proposed data processing systems are particularly risky.
The Regulation also introduces the concept of ‘pseudonymisation’. In overview, any data, which doesn’t expressly refer to a data subject, but which, when combined with additional data, would relate to that data subject, will now constitute ‘Personal Data’ for the purposes of the Regulation. This means that data controllers and data processors will need to treat such data with the same protections as all other ‘Personal Data’.
Binding Corporate Rules. In a recent EU court case of “Schrems”, the EU courts found the Safe Harbour contractual clauses to be invalid. Further, the use of contractual obligations in relation to the transfer of ‘Personal Data’ outside of the EEA is also being challenged. The Regulation formally recognises the Binding Corporate Rules (“BCR”) as an agreement to lawfully transfer Personal Data outside of the EEA within a corporate group of companies only. Please note that BCR will not cover transfer of ‘Personal Data’ between unconnected companies.
The above constitutes a brief overview of some of the key provisions of the Regulation. Please note that the Regulation encompasses various other amendments and updates to the current data protection legal landscape and you should therefore read around the area in more detail, or seek professional legal advice, in relation to specific requirements for your business.
Should you wish to discuss the Regulation further and find out about any assistance Waterfront Solicitors data protection lawyers can provide, including auditing your existing policies and procedures or advising you on how to adapt your business to adhere to the Regulation, please contact either:
Alison Berryman (Alison.Berryman@waterfrontsolicitors.com)
Alison is Waterfront’s resident Data Protection and Privacy expert, advising clients on all aspects of data protection and privacy law as well as carrying out data protection audits and providing staff training on this complex area.
Alison also specialises in drafting and negotiating a very broad variety of commercial contracts, particularly for clients in the digital media, technology, software and e-commerce and entertainment sectors.