Ashfords LLP. In-house Legal.

The General Data Protection Regulation ("GDPR") has been finalised and organisations now have two years to prepare before the legislation comes into force in early 2018.

  • Home >
  • Blog >
  • The new EU General Data Protection Regulation is finally here

The new EU General Data Protection Regulation is finally here

26 January 2016

The General Data Protection Regulation ("GDPR") has been finalised and organisations now have two years to prepare before the legislation comes into force in early 2018. The following is a summary of some of the most significant issues of which in-house solicitors should be aware:

Joint Liability for Data Processors 

Under the GDPR, controllers and processors will be jointly liable for data protection breaches. This is a significant change from the current regime and will have particular consequences if your business is a cloud provider or relies on cloud services.

Increased Fines & Breach Notifications

The final draft of the GDPR contains a two tier fine structure with maximum fines of up to €20 million or 4% of global annual turnover for breaches of specific provisions such as a breach of the international transfer provisions. A second lower tier of €10 million or 2% of global annual turnover applies for certain administrative and security breaches, such as failure to maintain processing records in accordance with the GDPR.

It is essential that your business is also aware of the mandatory requirement to notify breaches to the regulator within 72 hours of the breach, and that in certain circumstances individuals will also need to be notified of the breach.

Consent

Whilst the GDPR has not gone so far as requiring express consent for all data processing it will significantly change the current consent regime. It still states that consent must be unambiguous; the change is around the purpose for which you have obtained consent. If your business collects data for a specific purpose, the individual's express consent will be required if it then wants to process the data for a different purpose. Express consent will be required to process sensitive personal data.

Data Protection Officer ("DPO")

It was anticipated that all organisations would be required to have a DPO; however, this requirement has now been curtailed. If your organisation is large and regularly gathers data on individuals, or it processes a large amount of sensitive person data, it will be necessary to appoint a DPO.

Legitimate Interests

Many data controllers currently rely on the legitimate interests as the legal basis for processing personal data. It is important to be aware that the GDPR will seriously restrict an organisations' ability to rely on this legal basis as it has imposed a number of restrictions around the situations where it can be relied upon.