General Data Protection Regulation (GDPR)

May 24, 2016

In 2012 the European Commission announced plans to reform data protection with the aim of standardising data protection rights across the European Union, regardless of where a citizen’s data is processed. The General Data Protection Regulation will be directly applicable in all Member States without the implementation of national legislation and it is anticipated it will come into force in 2018.

The new Regulation will replace the current Directive and is aimed at harmonising the flow of data through Member States. The objective is to simplify data protection rules for companies, strengthen citizens’ fundamental rights, provide administrative cost savings and unify the currently fragmented regulations. There is a strengthening of regulations relating to criminal law enforcement authorities which is directed at ensuring that the personal data of victims, witnesses and suspects of crime are protected and it is anticipated that there will be an enhancement of cross border co-operation to fight against crime and terrorism.

The legislative process to bring the new Regulation into force commenced in December 2015 when the European Parliament, the Council and the Commission agreed the new rules and data protection framework. This was a major step forward in the implementation of the Digital Single Market Strategy. There are several key changes to the current data protection landscape in the EU which the introduction of the GDPR will bring about, including:-

  • Expansion of territorial Reach: GDPR will apply to data controllers and processers outside the EU whose processing activities relate to the offering of goods or services to, or monitoring the behaviour of EU data subjects.
  • Increased accountability: Data controllers will be required to show increased levels of compliance through maintenance of certain documentation, completion of data protection impact assessments and data minimisation.
  • Consent of data subjects: Consent to processing of personal data must be freely given, specific, informed and unambiguous shown either by a statement or a clear affirmation action indicative of agreement.
  • Role of data processers: Data processers will have direct obligations including the appointment of a Data Protection Officer in some circumstances and the duty to promptly notify the data controller of data breaches.
  • Sanctions: GDPR introduces a tiered system of sanctions where fines of up to 4% of an organisation’s annual worldwide turnover can be imposed for some specific breaches.
  • Right to be forgotten: GDPR gives the right to individuals to require the erasure of their personal data in certain circumstances.

Companies and organisations are now being encouraged to commence preparations for the introduction of the new Regulation by putting procedures in place to deal with the GDPR’s new transparency and individuals’ rights provisions. The new rules emphasise the requirement for data controllers to keep documentation to demonstrate their accountability and this is likely to require a review of an organisation’s governance and current data protection management procedures including any contracts in place with organisations with which data is shared.

Further information on the GDPR can be accessed through the Information Commissioner’s Office or if you require specific guidance please contact Cleaver Fulton Rankin’s Public Law Unit for assistance.

This article has been produced for general information purposes and further advice should be sought from a professional advisor. Please contact our Public Law Unit at Cleaver Fulton Rankin for further advice or information.

Louise Coll, Associate Solicitor, Public Law Unit, Cleaver Fulton Rankin, Solicitors, DD 02890 271311