The European Commission's proposal for a General Data Protection Regulation (GDPR) represents the most significant global development in data protection law since the obsolete 1995 EU Data Protection Directive. The GDPR aims to unify data protection laws to meet the challenges users face in the current digital climate and in particular, strengthen the protection of online personal data.
A "regulation" unlike a "directive" is directly applicable in all EU member states without the need for national implementing legislation. The Commission's aim is to harmonise data protection law across those member states.
When enacted into law, it will require all businesses handling EU residents’ data to delete personal information on request or when it is no longer required by the organisation, and encourage the use of auditable deletion procedures for companies processing personal data.
Non-compliant businesses could receive significant fines, with data breach sanctions ranging from €250,000 or 0.5% of annual worldwide turnover for less serious breaches, up to €100,000,000 or 5% of annual worldwide turnover for more serious infractions.
That’s rather big news so it is surprising that 81% of IT managers across Europe are unfamiliar with the proposed Regulations, according to research from Kroll Ontrack and Blancco.
According to the research 61% of IT managers said that their organisations have not taken measures to achieve compliance with the pending regulation, with 55% failing to review and adapt data destruction policies. A further 25% did not have any process in place to deal with data destruction.
Overview of the Draft Regulations
The 119-page draft is rather text heavy as you would imagine coming from Brussels, the bureaucratic capital of the world. However, there are some significant changes to the existing regulations that need exploring. Among the most significant changes, the Proposed Regulation changes the consent requirement from “implied” to “explicit”. It introduces some new concepts such as the concept of breach of security, the protection of the information of children, the special status of data regarding health, journalism etc., and the requirement for businesses to employ a data protection officer. It would require companies to conduct privacy impact assessments, to implement “Privacy by Design” rules, and to ensure “Privacy by Default” in their application. Individuals would have greater rights, such as the “Right to be forgotten” and the “Right to Data Portability” which covers the ability to move your data seamlessly between providers. There is also a section regards transferring data to different geographies with big implications for cloud storage vendors and users.
There are Special Categories of Processing that are not covered by these regulations, included are Health and journalism
There will also be a requirement to maintain comprehensive process documents that would be created and maintained in a similar way to the ISO system, in place in most businesses. This information is similar to that is currently provided in notifications to the data protection authorities but include new requirements such as the obligation to keep track of the transfers to third countries, or to keep track of the time limits for the erasure of the different categories of data.
There is a section devoted to the security of the personal data. In addition to the security requirements of the current directive the Proposed Regulation introduces an obligation to provide notification of personal data breaches. In case of a breach of security the data controller is required to inform the local supervisory authority within 24 hours, if feasible. In addition, if the breach is “likely to adversely affect the protection of the personal data or the privacy of the data subject,” the data controller is required to notify the users, as soon as possible, after it has notified the supervisory authority of the breach.
Data Breach Impact Assessment
There is a proposed requirement that obligates controllers and processors to carry out a data protection impact assessment if the proposed processing is “likely to present specific risks to the rights and freedoms of the data subjects by virtue of its nature, scope, or purposes. Examples of these activities include: monitoring publicly accessible areas, use of the personal data of children, use of genetic data or biometric data, processing information on an individual’s sex life, the use of information regarding health or race, or an evaluation having the effect of profiling or predicting behaviours.”
The Proposed Regulation introduces significant penalties for violation of the law. Organizations would be exposed to penalties of up to 1 million Euros or up to 2% of the global annual turnover of an enterprise.
It remains to see how this initiative pans out but the Proposed Regulations signals intent to pursue more aggressively the infringers and to equip the enforcement agencies with substantial tools to ensure compliance with the law.