Yesterday evening a political agreement about new EU data protection rules was reached following final negotiations between the Parliament, the Council and the Commission (the so-called 'trilogue' meetings). The new rules will be set out in a regulation that will be directly applicable across all 28 EU member states (General Data Protection Regulation or GDPR) and will modernise and unify data protection laws across the region. Following the One-stop-shop principle, businesses will only have to deal with one single supervisory authority.
Significantly, businesses that are found to be in breach of the GDPR may be liable to pay penalties of up to 4% of their total worldwide turnover, indicating that the EU intends data protection to become a board-level issue.
The GDPR will remove certain obligations that currently exist. For example, businesses will no longer be required to notify their data processing activities to the various national data protection authorities and this obligation will be replaced by a requirement to keep an inventory of data processing activities.
The GDPR will also introduce new data protection requirements. For example, businesses will be required to:
- appoint a data protection officer in certain circumstances (eg. for companies processing sensitive data on a large scale or for those that collect consumer information);
- notify data breaches to the relevant data protection authorit(y)(ies) within 72 hours. In certain circumstances the breach will also have to be notified to the affected data subjects;
- conduct privacy impact assessments before carrying out high-risk data processing; and
- build in privacy by design when processing personal data.
Unlike the current EU data protection rules, many of the new rules will also apply to data processors (eg. an external payroll services provider processing data for an employer).
The provisional agreement on the text of the GDPR will be put to a confirmation vote in the Civil Liberties Committee on the morning of Thursday 17 December in Strasbourg, although this is expected to be more of a formality. Provided that the text is approved, it will then be put to a vote by Parliament as a whole at the beginning of 2016, after which the regulation will become directly applicable and will take effect in Member States in 2018.
Social Media cookies collect information about you sharing information from our website via social media tools, or analytics to understand your browsing between social media tools or our Social Media campaigns and our own websites. We do this to optimise the mix of channels to provide you with our content. Details concerning the tools in use are in our privacy policy.