What is the GDPR and why should your law firm care?
Seeking to better protect EU citizens from privacy and data breaches, the EU General Data… Read more
Seeking to better protect EU citizens from privacy and data breaches, the EU General Data Protection Regulation (GDPR) was adopted in April 2016. It’s been described as the most important change in data privacy regulation in 20 years.
Although organisations that don’t comply may be fined up to 4 per cent of their global turnover or €20m for more serious transgressions, the GDPR will be enforced from 25 May 2018, so there’s still time to prepare your law firm.
Harmonising data privacy laws
More than four years in the making, the GDPR replaces Data Protection Directive 95/46/EC and (according to the EU GDPR website) it will “harmonise data privacy laws across Europe, protect and empower all EU citizens and reshape the way organisations approach data privacy”.
Although EU data protection legislation was introduced in 1995, the GDPR was regarded as necessary because the world has become significantly more data-driven in the past 20 years.
Furthermore, the European Commission recognised that differences in implementation in individual Member States was creating “complexity, legal uncertainty and administrative costs”, while “affecting the trust and confidence of individuals and the competitiveness of the EU economy”. The GDPR, it believes, will “strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the Digital Single Market”.
The GDPR will apply to all companies – regardless of their location – that store and process the personal data of data subjects living in the EU. So, UK companies processing data relating to selling goods or services to citizens in other EU countries, will need to comply with the GDPR, regardless of the UK leaving the EU, which isn’t likely until some months after May 2018.
According to the EU GDPR website, things are “much less clear” for companies that only offer goods and services to or monitor data subjects living in the UK. “The UK Government has indicated it will implement an equivalent or alternative legal mechanisms”, it says, that will “largely follow the GDPR, given the support provided to the GDPR by the ICO [Information Commissioner’s Office] and UK Government as an effective privacy standard”.
Personal data is defined as “any information related to a natural person or ‘data subject’ that can be used to directly or indirectly identify the person”. So, that can mean a name, photograph, email address, bank account details, medical information, computer IP address – and even social media posts.
Although the previous Directive’s key data privacy principles remain, the GDPR will usher in significant changes. Arguably, the most major concerns jurisdiction, with the GDPR applying to all companies – inside and outside the EU – that store and process the personal data of people living in the EU, regardless of whether the data is processed in the EU or not.
Penalty rules will apply to controllers and processors, so “clouds” will also be subject to GDPR enforcement, while consent from data subjects must be given in “an intelligible and easily accessible form, with the purpose for data processing attached to that consent”.
Right to be forgotten
Notification of data breaches will be mandatory in all Member States, within 72 hours, if it creates a “risk for the rights and freedoms of individuals”. Data subjects will also have the right to obtain confirmation from the data controller about whether their personal data is being processed, where and why.
Data subjects will also have the “right to be forgotten”, requiring controllers to erase their personal data, refrain from disseminating it and potentially stop third parties processing it. And data protection must be included from the start when information systems are being designed. More comprehensive details of the changes appear on the EU GDPR website.
Visit the website of the ICO (“the UK’s independent authority set up to uphold information rights in the public interest”) for more information about the GDPR.