After four years of negotiation, the new EU General Data Protection Regulation (GDPR) has today been formally adopted by the European Parliament. The Regulation will soon be available in all the official EU languages.
The Regulation will take effect twenty days from its post-vote publication in the Official Journal (May 2018) giving Data Controllers two years to prepare for the biggest change to the EU data protection regime in 20 years.
The Regulation will apply to any entity offering goods or services (regardless of payment being taken) and any entity monitoring the behaviours of citizens residing within the EU. Companies are now directly responsible for DP compliance wherever they are based (and not just their EU based offices) as long as they are processing EU citizens’ personal data.
For some breaches of the Regulation (e.g. failing to comply with Data Subjects’ rights or the conditions for processing) Data Controllers can receive a fine of up to 4% of global annual turnover for the preceding year (for undertakings) or 20 million Euros. For other breaches (e.g. failing to keep records or complying with security obligations) the fine can be up to 10 million Euros or 2% of global annual turnover (for undertakings).
The Regulation replaces the previous EU Data Protection Directive (95/46/EC), upon which the UK’s Data Protection Act 1998 (DPA) is based, without the need for further national legislation. It does though allow for substantial national derogations in a number of important areas, so in addition to amending or repealing their existing legislation and guidance, the Government and the Information Commissioner’s Office(ICO) will be working to finalise their positions on key issues such as exemptions, workplace privacy, healthcare services and biomedical research.
The Regulation is accompanied by the EU Policing and Criminal Justice Data Protection Directive which contains new rules for Data Protection when applied to crime and justice, but which can be implemented by each Member State through its own laws with greater flexibility.
All Data Protection practitioners and lawyers need to read the Regulation and consider its impact on their organisation and clients. The good people at Covington & Burling LLP have published an automated comparison here to allow readers to see how the Regulation has changed from its previous version.
Training and awareness at all levels needs to start now. Here is a nice video to get you started.
Act Now has a dedicated GDPR section on its website containing articles as well as details of our GDPR webinars and workshops. If you are looking for an up to date DP qualification with a focus on GDPR, have a look at our Data Protection Practitioner Certificate.