Yesterday evening a political agreement about new EU data protection rules was reached following final negotiations between the Parliament, the Council and the Commission (the so-called ‘trilogue’ meetings). The new rules will be set out in a regulation that will be directly applicable
across all 28 EU member states (General Data Protection Regulation or GDPR) and will modernise and unify data protection laws across the region. Following the One-stop-shop principle, businesses will only have to deal with one single supervisory authority.
Significantly, businesses that are found to be in breach of the GDPR may be liable to pay penalties of up to 4% of their total worldwide turnover, indicating that the EU intends data protection to become a board-level issue.
The GDPR will remove certain obligations that currently exist. For example, businesses will no longer be required to notify their data processing activities to the various national data protection authorities and this obligation will be replaced by a requirement to keep an inventory of data processing activities.
The GDPR will also introduce new data protection requirements. For example, businesses will be required to:
- appoint a data protection officer in certain circumstances (eg. for companies processing sensitive data on a large scale or for those that collect consumer information);
- notify data breaches to the relevant data protection authorit(y)(ies) within 72 hours. In certain circumstances the breach will also have to be notified to the affected data subjects;
- conduct privacy impact assessments before carrying out high-risk data processing; and
- build in privacy by design when processing personal data.
Unlike the current EU data protection rules, many of the new rules will also apply to data processors (eg. an external payroll services provider processing data for an employer).