According to the European Commission, the reform package will "make Europe fit for the digital age" and "put an end to the patchwork of data protection rules that currently exists in the EU".
The legislation in question consists of the General Data Protection Regulation (GDPR) and (not considered further here) a Data Protection Directive for the police and criminal justice sector.
Key relevant reforms of the GDPR include the following:
- Data processors to be directly liable to data subjects for breaches of the processing requirements in the Regulation;
- The introduction of "pseudonymisation" (explained here) as a recommended measure to consider safeguarding personal data;
- Consent to data processing to be expressly defined as the freely given, specific, informed and unambiguous indication of a data subject's wishes (watch this space as to how this may affect the UK's current reliance on implied consent for legalising the use of website "cookies");
- Removal of the requirement to register as a data controller with the data protection authorities (the ICO in the UK), but in its place organisations must be able to demonstrate compliance with the data protection legislation, for example by following approved codes of conduct;
- The Regulation confirms data subjects' "right to be forgotten" and the obligation on data controllers to provide them with information "in a concise, transparent, intelligible and easily accessible form, using clear and plain language" (the principle of "transparency") when processing their personal data;
- Data protection authorities will be able to fine organisations up to a maximum of 4% of the total worldwide annual turnover in the previous year for serious breaches;
- Data controllers will have to notify the relevant authorities within 72 hours of a breach which is likely to represent a risk to individuals, and to the individuals themselves where the risk is high (unless it has been mitigated);
- A new "one-stop shop" for regulating the GDPR where an organisation is based across multiple jurisdictions;
- Organisations will need to consider carrying out detailed data protection (privacy) impact assessments where processing of data represents a high risk for the individuals concerned, particularly where the processing involves the use of new technologies. In certain circumstances they will also need to appoint a designated data protection officer;
- The encouragement of new certification schemes demonstrating compliance with the data protection principles and which may also be used to authorise the transfer of data outside the EEA.
As always with data protection legislation, organisations are going to have to wait for guidance from the supervisory authorities for clarity as to how the new rules will affect their operations. We will keep you up-to-date with relevant guidance from the ICO as and when it becomes available.