On the 14th of April 2016, the General Data Protection Regulation (GDPR) passed its final hurdle as it was approved by a vote in the European Parliament. The aim of this Regulation is to give citizens control of their personal data, and implement a common standard of data protection across all EU countries.
The GDPR will become applicable to all businesses worldwide which hold data appertaining to European citizens. The new GDPR will mean that:
- Individuals will have access to their own data
- Companies will be duty bound to inform their clients when their data is breached
- In the case of non-compliance, administrative fines may be imposed. There are two thresholds of fines: up to €10,000,000 or 2% of global annual turnover, and up to €20,000,0000 or 4% of global annual turnover. For each threshold, the higher fine between the two will be imposed.
- Breach notification processes must be implemented whereby companies must inform Data Protection Authorities whenever there is a breach
- The ‘right to be forgotten’ is now an official right protected by EU law
- Certain entities will need to appoint a Data Protection Officer who will be in charge of advising and monitoring the data compliance position of the company
- Companies who did not previously fall within the ambit of the data protection regulation will now need to comply with the GDPR
The Regulation will come into effect as of 2018. Businesses will need to ensure that they are compliant by implementing effective data protection policies and reviewing existing policies.
Jan Philipp Albrecht – an MEP who heralded the reform of the data protection regulation, said: “This regulation is a huge step forward for the European Union, for fundamental rights in the European Union, and it shows that we can deliver a legal framework for the digital age, and that we can deliver for democratic decisions still in the European Union which has huge value for citizens and consumers.”
The next step will be to harmonize telecoms data privacy regulations – the ePrivacy Directive – so as to bring them in line with the new GDPR.