After a long wait and a number of high profile cases, the EU General Data Protection Regulations (“Regulations”) have now been approved by the EU Parliament, the final hurdle to their implementation. The Regulations overhaul the EU data protection rules and bring the law up to date with the ‘digitised world’.
In its press release, the EU Parliament said that the Regulations “aim to give citizens back control of their personal data and create a high, uniform level of data protection across the EU fit for the digital era”.
What do the Regulations mean for you?
For citizens, the Regulations mean that they will be able to decide for themselves which personal information they want to share. For organisations, the Regulations create clarity by establishing a single law across the EU. However they do impose a number of onerous measures and significant fines for breaches of the Regulations.
The Regulations include the following key provisions:-
Data Protection Officer
Certain organisations will be required to appoint a data protection officer (DPO). These organisations include:-
- A public authority or body, except for Courts acting in their judicial capacity.
- Where an organisation’s core activities consist of processing operations which require regular and systematic monitoring of data subjects on a large scale.
- Where an organisation’s core activities consist of processing special categories of personal data (which includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs), and personal data relating to criminal convictions and offences.
Data Protection Impact Assessment
A Data Protection Impact Assessment, more commonly referred to as a Privacy Impact Assessment (“PIA”), is an assessment on the impact of the proposed processing operations on the protection of personal data. A PIA is required where the type of processing is likely to result in a high risk to the rights and freedoms of natural persons. A PIA in this scenario is required to be carried out prior to the processing taking place.
Breach of the Regulations
The Regulations provide for both compensation for individuals and fines for beaches of the Regulations.
The current data protection legislation does not provide for a right to compensation. However, the Regulations now provide that any person who has suffered material or non-material damage as a result of an infringement of the Regulations shall have the right to receive compensation from the controller or processor for the damage. This provision significantly strengthens a data subject’s rights and ultimately puts a monetary value on personal data.
The Regulations also provide for administrative fines, which shall be “effective, proportionate and dissuasive”. There are two classes of fines:-
- Fines of up to €10 million or up to 2% of turnover, whichever is the higher.
- Fines of up to €20 million or up to 4% of turnover, whichever is higher.
The lesser of the two fines is imposed for breaches of the Regulations, which include failure to maintain a record of processing activities, failure to cooperate with the supervisory authority, failure to notify of a breach.
The second category of fines is levied for breaches of the basic principles of processing, including obtaining consent, and transferring personal data outside the jurisdiction.
The potential impact of a fine at the above levels could be detrimental to an organisation’s survival and is focusing organisations to get ‘Regulation ready’.
Stay Calm and Get Ready. The Regulations will be directly applicable in all member states two years from now, spring/summer 2018, which provides sufficient time to prepare.
We will be posting regular articles to deal with specific areas of the Regulations to help you and your organisation.
Please click here for press release from the EU Parliament.