Special feature from JLT Consortium Partner - Andrew Shindler and Thomas J. Smedinghoff from Locke Lord LLP
In less than 200 days, on 25 May 2018, the EU General Data Protection Regulation (GDPR) goes live. It is the biggest change to European data protection law in over 20 years, and will have a major impact on businesses across the USA and all around the world.
With less than 200 days to go, it’s time for the talking to stop and the impact assessments to begin. We highlight some of the most far-reaching changes and burdensome requirements.
But first, note that with its extraterritorial impact, you don’t have to be doing business in Europe to be subject to the GDPR.
Under previous EU data protection law, you were not subject to its provisions unless you were established in the EU or located your computing equipment there.
Now you are also covered if you simply offer goods or services to individuals in the EU, or monitor their behaviour. In a recent international report more than 70% of non-EU respondents said the GDPR will apply to their organisation.
The maximum fine for breaching the GDPR is up to 40 times larger than under the previous law, and even more for big business.
EU data authorities have been given the power to levy fines up to EUR 20 million or 4% of annual worldwide gross revenue, whichever is greater.
Although this sounds incredibly frightening, fines would be proportionate and discretionary, so that they are applied on a case-by-case basis.
RIGHTS OF DATA SUBJECTS
Individuals have a right to obtain copies of all their personal data you are processing, generally within 30 days. They also have the right to have it ported to another provider or to object to its processing on certain grounds. They may also be able to require its erasure – the “right to be forgotten”.
REPORTING DATA BREACHES
There is a legal obligation to report a “personal data breach” to the authorities – this includes where anyone hacks into your system or you find that personal data you hold has been lost – where there may be a risk to individuals.
Reporting must take place without undue delay, and where feasible, within 72 hours.
In more serious cases, all the individuals potentially affected must also be notified. This will not apply if the data accessed is properly protected, e.g. by encryption.
You must provide individuals with extensive information about how you will process their data – in a transparent, intelligible and easily accessible way – using clear language.
HIGHER STANDARD FOR CONSENT
Where you rely on “consent” for processing personal data, the GDPR has raised the bar. Separate consents are now required for different processing activities. Pre-ticked boxes and blanket consents are not valid and individuals must be able to easily withdraw consent at any time.
For children under 13, and potentially up to 15, parental consent is required.
PROCESSORS NOW LIABLE
Under the previous law, if you processed personal data on someone else’s instructions, you were a “data processor” and not a “data controller” and not directly subject to the law. This is no longer the case; data processors and data controllers are jointly liable for breaches they are involved in.
DATA PROTECTION OFFICERS (DPO)
Public authorities, organisations whose core activities require regular and systematic monitoring of data subjects on a large scale, or organisations which process special categories of data on a large scale, must appoint a DPO. The DPO must be suitably skilled and experienced and report to the highest levels of management.
Other organisations which process significant personal data are recommended to do so.
A recent international study found that in Europe alone, 28,000 DPOs will need to be appointed by 25 May 2018.
PRIVACY IMPACT ASSESSMENTS (PIA)
If you are engaged in “high” risk processing – processing that presents a risk of infringing a person’s rights and freedoms, such as large scale processing of sensitive data or monitoring and profiling individual activities – you must carry out a PIA.
Download Cyber Decoder
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org