EU Data Protection Regulation and Directive
A new Regulation on EU data protection is expected to be implemented later in 2016, following political agreement on the draft text finally being reached in December 2015 after years of discussion.
The aim of the new regulation is to streamline data protection legislation across the member states, replacing the patchwork of national legislation that currently exists. The legislation will not come into force immediately, but businesses need to start thinking about how the Regulation will affect them and the steps they will need to take to ensure compliance.
Key areas to note include:
- There will be onerous obligations on data controllers to demonstrate compliance with the Regulation, for example, maintaining certain documentation.
- Consent to processing of personal data must be freely given, specific, informed and unambiguous. For sensitive personal data, the consent must also be explicit.
- Data controllers must notify breaches of the Regulation.
- Data processors will have to implement technical and organisational measures and will have an obligation to notify data controllers of breaches.
- Loss of data must be reported to the affected individuals and the Information Commissioner’s Office.
- Penalties of up to 4% of annual worldwide turnover may be imposed for infringement.
- Individuals will have the “right to be forgotten” and will be able to require the erasure of their personal data without undue delay in certain circumstances.
- In some circumstances it will necessary to designate a Data Protection Officer.
There may of course be last minute changes to the draft text and the detail is not yet finalised. Further details will be published in due course.