The EU General Data Protection Regulation (“GDPR”) has now been published in the EU Official Journal. It will fully apply from 25 May 2018.
By way of very quick reminder the key features of GDPR are:
- Streamlined data processing principles;
- Privacy by design and default;
- Recalibrated consent requirement;
- Mandatory data protection impact assessment for high risk to rights and freedoms situations;
- Mandatory data beach notification to regulators, within 72 hours, and mandatory breach communication to individuals;
- One-Stop-Shop regulator;
- Extra-territorial jurisdiction, where goods or services are offered from outside the EU to EU citizens or where their behaviour is monitored from outside the EU;
- New rights: the Right To Be Forgotten, The Right To Data Portability, and, The Right To Not Be Profiled;
- Subject Access Request: no charge, and, shorter response time (one month);
- New responsibilities and obligations for data controllers and processors;
- Data Protection Officers mandatory in certain circumstances, such as for large-scale, regular and systematic monitoring;
- Compensation for material or non-material damage for privacy infringements;
- Binding Corporate Rules officially legislatively recognised; and,
- Increased sanctions – maximum Euro 20 million or 4% of total worldwide annual turnover.
We will be updating our GDPR FAQs. In the meantime please see our short film about GDPR here: http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/.
We strongly recommend that compliance preparation begins as soon as possible and suggest the following ten action points to begin with:
- Put in place a privacy impact assessment process – map your data and determine areas of risk;
- Thoroughly review vendor contracts – you will need your vendors’ help especially in reporting security breaches very quickly. Make sure that you have the contractual rights to insist on this and make sure that you can hold your vendors to account;
- Prepare to update everything and prepare new detailed documentation and records ready for production for regulatory inspection – factor this into overhead costs;
- Review all key practical aspects such as data retention and destruction through all means of collecting data used by the business;
- Ensure that new aspects such as explicit consent, the Right To Be Forgotten, and, the Right To Not Be Profiled are all included in policies and procedures;
- Put in place a data breach notification procedure, including detection and response capabilities – also consider purchasing special insurance;
- If applicable, appoint a Data Protection Officer;
- Create compliance statements for annual business reports;
- Train staff on all of the above; and
- Set up and undertake regular compliance audits in order to identify and rectify issues.
The fuller reference to the GDPR is Regulation 2016/79 of the European Parliament and the Council, of 27 April 2016, OJ L 119 of 4 May 2016, which can be found here: http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC.
If you need help with GDPR please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London.
Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784
André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1785