knowledge | 28 January 2016 |

General Data Protection Regulation

On 15 December 2015 the European Commission, Parliament and Council reached an agreement on the General Data Protection Regulation (the “GDPR”), which is expected to be adopted shortly. When it comes into force (approximately two years from now) the GDPR will update and overhaul European data protection law. While many fundamental concepts and principles will remain broadly the same, the GDPR provides for significant changes which will have wide ranging impacts on a broad range of sectors, which include the following key points:

Scope - application outside the EU

The General Data Protection Regulation will apply to all data controllers and data processors within the EU and to data controllers and data processors based outside the EU that offer goods or services within the EU.

Lead supervisory authority

The “lead supervisory authority” of a data controller or data processor will be determined by where their main establishment in the EU is located. There will no longer be a “one-stop shop”, as was envisaged in earlier drafts of the GDPR. Instead, undertakings may be subject to the jurisdiction of more than one supervisory authority and the lead supervisory authority may often be required to consult with other supervisory authorities.

European Data Protection Board

The GDPR will create a new body, the European Data Protection Board (the “EDPB”). The EDPB will replace the Article 29 Working Party and will have more extensive responsibilities and powers, including the power to issue legally binding decisions to supervisory authorities.

Extended rights for individuals

The GDPR focuses on giving individuals more control over their personal data. In addition to existing rights, such as the rights of access and rectification, it provides for a new data portability right and more explicit conditions regarding profiling. The ‘right to be forgotten’ will also be explicitly set out in the GDPR.

Compliance obligations

Data controllers will be obliged to implement data protection policies, to keep records of their processing and, subject to some exceptions, to designate a data protection officer to monitor compliance with the GDPR. Data protection impact assessments will be mandatory where there is a high risk to individuals and, in particular, where new technologies are being used for processing personal data.

Security breach notification obligations

A data controller will be obliged to inform the relevant supervisory authority of a personal data security breach as soon as possible and, “where feasible”, not later than 72 hours after becoming aware of the breach. The data controller might also be required to inform the affected data subjects where there is a high risk to the individuals’ rights.

Codes of conduct and certification

The GDPR envisages the adoption of codes of conduct and the development of methods of certification of compliance in order to assist with the proper application of the GDPR.

Penalties

Failure to comply with the GDPR may give rise to liability to administrative fines of up to €20 million or 4% of total worldwide annual turnover of the relevant undertaking. Supervisory authorities must ensure that fines imposed are “effective, proportionate and dissuasive”.

Liability

Data controllers and data processors may be liable to individuals for damage caused by a breach of the GDPR. A single undertaking may be jointly liable for breaches by other entities involved in the relevant processing, however a court will be entitled to apportion compensation by taking into account the culpability of the relevant data controller(s) and data processor(s).

Pseudonymisation

The GDPR will introduce a new concept of pseudonymisation which involves the processing of personal data in such a way that it cannot be used to identify an individual without additional information. Pseudonymisation will be encouraged in the processing of data. Although pseudonymisation is not, of itself, a new concept, this will be the first time it has been enshrined expressly in data protection legislation applicable to Ireland.

This briefing is for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.

Key contacts