The Definitive Summary of the General Data Protection Regulation Posted by Hugh Jones on 12 January 2016

The draft of the General Data Protection Regulation (GDPR) has now been signed off by the trilogue of the EU government – the Commission, the Parliament and the Council of Ministers. The Regulation contains many of the key elements which we have already flagged in the past. Overall, the legislation is straightforward, accessible and reflects concerns regarding the increasing threat of intrusion into the private lives of EU citizens.

The GDPR sets out to give EU citizens more control over their personal data and to provide greater protection to their right to privacy. Different to previous implementation of privacy legislation, however, this Regulation will take effect on the same date for all 28 EU Member States.

On the basis of the recent publication, we can expect that this date will be early in 2018, two years from the date the final text is formally published in the Official Journal of the European Union.

The Regulation aims to achieve harmony across the Member States by:

The Regulation introduces a number of new, defined terms which indicate the focus and concerns of the legislators in terms of the protection of privacy. These include:

The well-known eight Rules of the 1995 EU Directive have not gone away, but they have received a re-vamp, and are articulated in a new way in the Regulation. They are now listed in terms of the principles, derived from the OECD Guidelines of 1980, which the rule will seek to enforce:

We can see the eight Rules in there amongst those principles, and I am sure that we will become familiar with this re-sequencing in time. Perhaps the most important shift here is the focus on the obligation for the Data Controller, who must now be pro-active in documenting and logging DP incidents. Under the new Regulation, the focus will be on the Controller to be able to demonstrate the steps taken to ensure compliance – including provision of training, resolution of data security incidents, risk analysis of new processes and procedures, etc.

Controllers and Processors are actively encouraged to seek certification with recognised international standards, (ISO 27001, for example) and the Supervisory Authorities in individual Member States are encouraged to define Codes of Conduct against which Controllers and Processors in particular sectors and industries can be assessed.

The following are what we at PrivacyEngine/Sytorus believe are the key changes for Data Controllers and Processors contained within the GDPR (in no order of priority):

The published rationale mentions that, now that the Regulation has been set out, the Supervisory Authorities in each EU Member State will soon be assessing DP issues and breaches by looking for evidence of a ‘forward-thinking attitude’. This means that organisations would do well to start putting structures in place as soon as possible which adhere with the new rules.

The estimated time-line remains in place – that the approved text of the legislation will be published by the Parliament by March, 2016, and will come into effect across the 28 EU Member States two years later, in early 2018.

PrivacyEngine/Sytorus continues to work with our clients to help them to prepare for the new Regulations. For many, this will include organisational, system and procedural changes, as well as staff training.

For some, who were already struggling with compliance under the ‘old’ legislation, this will be a slightly sharper hill to climb, but we have two years!

Over the coming weeks we will publish further analysis on the GDPR, with particular focus on the impact for Data Controllers, Data Processors and Data Subjects.