General Data Protection Regulation finally adopted

Spotlight
15 June 2016

On 14 April 2016 the General Data Protection Regulation ("GDPR") was approved by the European Parliament. This brings to a conclusion a legislative process that has lasted more than four years. The new Regulation will dramatically change the processing of personal data in your company.

What will change with the Regulation?

The Regulation will replace the existing Privacy Directive (Directive 95/46/EC) and will substantially change the legislative framework for data protection.

Some of the new features provided for in the Regulation are:

  • extraterritorial effect for non-EU companies offering goods or services in the EU;
  • a strong emphasis on the accountability of companies that process personal data;
  • independent obligations for processors of personal data;
  • enhanced rights for data subjects: the right to be forgotten, the right to data portability, etc.
  • the obligation to notify data breaches;
  • the obligation to appoint a data protection officer in certain cases;
  • introduction of the principles of privacy by design and by default;
  • ....

Last but not least, the Regulation allows for violation of the new rules to be penalised with huge fines of up to 4% of the global annual turnover of the infringing undertaking.


When does the Regulation enter into force?

The Regulation will soon be published in the Official Journal of the European Union, and it will enter into force 20 days after publication. Companies will then have two years, i.e. until 2018, to make sure they comply with the Regulation.

What do you need to do as an undertaking?

Undertakings need to conduct a gap analysis as soon as possible to assess their data protection programmes. This not only involves mapping all the company's data, but also mapping all channels through which the company communicates with a data subject (privacy policies, website, contracts, newsletters, e-commerce tools, etc.) and all the company's internal procedures (such as data breach policies). Once that analysis is completed, measures can be identified which will allow the company to comply with the Regulation by 2018.