Heralded as one of the most significant changes to data protection law, the General Data Protection Regulation (GDPR) will take effect across the EU on 25 May 20181. Following four years of negotiations and discussion, EU Member States have agreed the GDPR as a means of harmonising data privacy laws; protecting and empowering EU citizens in relation to their personal data; and altering how organisations handle data privacy. In the UK, the GDPR will replace the Data Privacy Act 1998 (the 1998 Act).
Why was the GDPR introduced?
Since the adoption of the EU Data Protection Directive in 19952, vast technological advancements have led to a rethink as to how data is collated and used. A rise in internet usage and ground-breaking technologies such as ‘big data’ and artificial intelligence have increased the production and processing of ever-increasing datasets by both public and private organisations. The GDPR addresses these challenges by strengthening data privacy laws, tipping the balance of protection in favour of the individual.
What are the key changes?
The GDPR introduces the following changes:
• Broadened territorial scope (Article 3)
The GDPR will apply to all companies or organisations processing the personal data of EU data subjects, regardless of that company or organisation’s location. Data processors and controllers established outside the EU will be subject to the GDPR where their processing activities relate to the offering of goods or services to, or the monitoring of the behaviour of, EU data subjects. Consequently international companies and organisations will need to be cognisant of the territorial reach of the GDPR.
• Consent requirements (Article 7)
Companies or organisations requesting data subjects’ consent to use their data must now do so ‘in an intelligible and easily accessible form, using clear and plain language’ and with the ability to withdraw that consent as easily as it is to provide it.
• Individuals’ rights (Articles 12 to 23)
The GDPR broadens and strengthens the catalogue of data subjects’ rights, including the right to be informed, the right to access personal data, the right of erasure of data, and the right to data portability. It also introduces certain rights relating to automated decision-making.
• Breach notifications (Article 33)
Companies or organisations will be required to notify the relevant data protection authority (in the UK, the Information Commissioner’s Office) without undue delay of any personal data breach. Where feasible, this should be no later than 72 hours after a company or organisation first becomes aware of a breach, unless that breach is unlikely to result in a risk to the rights and freedoms of individuals. This not currently a legal requirement under the 1998 Act.3
• Enforcement powers and penalties (Article 83)
Companies or organisations in breach of the GDPR may be fined up to 4% of their global annual turnover or €20million (whichever is the greater). The GDPR therefore offers more stringent penalties than afforded under the 1998 Act.
The way forward
The GDPR will change the regulatory landscape of data protection. As companies and organisations continue to accumulate significant volumes of data and to use this data for a multitude of purposes, it is important that data subjects are fully aware of how that information is collected and utilised, and that they provide their consent. What, however, remains to be seen is whether the upcoming measures will suffice in addressing the constantly evolving challenges posed by technological developments.