The New European General Data Protection Regulation

Author:Mr Charles-Albert Helleputte, Vanessa Klesy, Oliver Yaros, Guido Zeppenfeld, Nicolas Rößler, LLM, Björn Vollmuth, Mark A. Prinsley, Rebecca Eisner, Kendall C. Burman, Lei Shen, Stephen Lilley, Rajesh De, Joshua Silverstein, Gabriela Kennedy and Karen H. F. Lee
Profession:Mayer Brown

The final draft of the new European General Data Protection Regulation (GDPR) was agreed on 15 December 2015 and, once it has been approved by the European Parliament in early 2016, is expected to take effect by early 2018. This reform aims to update data protection law to address the challenges of the digital age while simultaneously protecting the rights of individuals and enabling businesses to utilise personal data in a more consistent manner across the European Union. The GDPR will be directly applicable in the same form in all EU Member States with the intention of reducing the burden on international organisations that, up until now, have had to vary their compliance to satisfy the particular data protection requirements of each Member State. The key points to take away from the GDPR are as follows:

International application of the GDPR European data protection law will now apply depending on the type of data processing being undertaken and not necessarily depending on where that processing is being carried out. In addition to data controllers (persons that determine the purposes for which personal data is processed) that are established in the European Union, data controllers located outside the EU that process personal data in relation to offering goods or services to individuals within the EU, or as a result of monitoring individuals within the EU, will be subject to the GDPR. Non-EU organisations will need to consider whether their activities are caught by the GDPR and whether they must appoint a European representative to take responsibility for their actions. Tougher sanctions The GDPR has substantially increased the maximum fine that may be imposed on organisations that breach EU data protection law. The maximum fines for a breach of the GDPR will be 4% of an enterprise's worldwide turnover or20 million, whichever is higher. Data breach notification obligations GDPR introduces an express obligation for controllers to notify breaches of security relating to personal data to the relevant data protection authority where the breach is likely to cause a degree of risk to the data subject. Data controllers must notify the authority without undue delay and where feasible within 72 hours of the breach. Where an authority has not been notified within 72 hours, a reasoned justification for the delay must also be given. Controllers must also communicate the fact that there has been a personal data breach to the data subject...

To continue reading