What do EUs new data protection rules (GDPR) mean for businesses?
On 25 May 2018, EUs General Data Protection Regulation (GDPR) became applicable in the EU. Due to legislative technicalities, incorporation of GDPR has been postponed in Norway, Iceland and Lichtenstein (the EFTA countries). However, it is expected that GDPR will be applicable also in these countries by the end of July 2018.
The GDPR is the biggest data protection reform in Europe since the adoption of the Data Protection Directive in 1995. The GDPR will replace the 1995 directive, and ensure stricter and more harmonised data protection rules in the European Economic Area (EEA, i.e. the EU and EFTA member states). While the GDPR builds on previous data protection principles, it introduces certain new rights for individuals and stricter obligations for businesses who process personal data on customers and employees. The greatest change, which has made data protection a top priority for management boards, is the data protection authorities' possibility of issuing fines up to 20 million Euro or 4 % of the annual turnover, whichever is higher.
Unsurprisingly, GDPR will apply to businesses established in the EEA. However, it is important to note that the GDPR applies equally to business outside the EEA as far as they offer products or services to individuals in the EEA or monitors the behaviour of individuals within the EEA. This means for instance, that if a business in Singapore operate a website or by other means target individuals in the EEA, it will need to comply with the GDPR.
The GDPR may also more indirectly impact businesses outside the EEA. The GDPR brings forward the strict rules for transferring personal data from the EEA to entities outside the EEA. Such transfers are as a point of departure prohibited, unless there is a legal basis making the transfer legitimate. If business entities conduct cross-border data transfer from the EEA to third countries, such as Singapore, they must employ appropriate safeguards, such as by signing EU standard contractual clauses or by adopting binding corporate rules. Under the GDPR there are also stricter rules on execution of data processing agreements governing e.g. IT service providers' handling of personal data on behalf of clients.
For businesses covered by the scope of the GDPR it is important to set out a long term strategy for ensuring compliance with the new rules. For some businesses data protection and security may be a competitive factor to legitimise their practices and gain customers' trust. However, quite a few businesses will have difficulties distinguishing themselves from their competitors and the focus should therefore be on ensuring efficient compliance and reducing risks of sanctions and reputational damage.
To ensure compliance with the GDPR it is inevitable for most businesses to do a systematic mapping of their data processing activities and to carry out a gap analysis in light of the new rules. A key principle under the GDPR is that businesses are accountable for their data practices and shall be able to demonstrate compliance. This means ultimately that most businesses need adopt data protection officers or other internal roles, adopt or review their internal policies, maintain records of their processing activities, document the legal basis for all activities and ensure deletion of data when it no longer needed.
A primary goal for the new rules is to empower individuals' with regard to use of data relating to them. A key principle is that data subjects have a right to clear and concise information about how businesses processes their data. This means that most businesses must review their privacy statements to ensure that the information covers all mandatory aspects and that the information is intelligible for their targeted audience. The GDPR strengthens data subjects' rights and gives the individual e.g. a right to access own data, to receive data in a machine readable format, to object to marketing and to have data corrected or deleted. Some activities, e.g. electronic marketing, may require the data subject's consent. The GDPR clarifies that consent needs to be freely given, not bundled with other terms and conditions and that the data subject has the right to withdraw consent as easy as consent was given.
In the struggle to become "GDPR ready", businesses should not fool themselves to think that demonstrating compliance is a one time effort. On the contrary, ensuring compliance in practice necessitates continuous follow up and assessment of new data practices, handling of security incidents, awareness raising and training. A particular challenge with the GDPR is that many of its provisions are quite vague and that they arguably can be applied differently to e.g. profiling and marketing depending on particular circumstances and risks. Hence, while 25 May 2018 was an historic milestone for data protection in the EEA, the data protection authorities' enforcement and sanctions of breaches of the GDPR in the coming months and years will provide significant clarifications.
For inquiries please contact Thomas Olsen