The GDPR was published in the Official Journal of the EU (OJEU) on 4 May 2018 and entered into force on 25 May 2018. Since its inception there have been hundreds of fines throughout the EU.
Article 97 of the Regulation mandates the European Commission with submitting a report on the evaluation and review of the GDPR by May 2020 and every four years thereafter. The Commission published its first report on 24 June 2020.
On 25 May 2018, the way personal data is collected, used and shared changed by virtue of the General Data Protection Regulation (GDPR). The Regulation reforms outdated personal data legislation addressing some of the current technological challenges regarding the processing of personal data in the current digital age, including profiling, data portability and the ‘right to be forgotten’. The Regulation has direct legal effect across all EU Member States ensuring a harmonised data protection regime throughout the EU. GDPR is part of a wider legislative data protection framework consisting of the Police and Criminal Justice Authorities Directive in the area of law enforcement (LED). The LED creates a coherent framework for data processing activities performed for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. The package is a major step towards a Digital Single Market.
1. Extra-territorial effect
The GDPR will have extra-territorial effect, being applicable to a controller or processor not established in the EU, if the data processed belongs to a data subject in the EU.
2. One stop shop
A more harmonised EU data protection regime, including increased co-operation and consistency between EU regulators and a ‘one-stop-shop’ for controllers. This one-stop-shop mechanism allows a company which is active in several member states to deal only with the data protection authority in the member state of its main establishment. This mechanism also provides for a single decision applicable to the entire EU territory in case of disputes.
Consent must be freely given, specific, informed and unambiguous. Furthermore, if data has been collected for a specific purpose, consent must be obtained for additional processing which is incompatible with the original purpose. Consent may be withdrawn at any time and it must be as easy for a data subject to withdraw their consent as to give it. The data subject should be informed of the existence of profiling and the consequences of such profiling. Consent must be explicit for sensitive data. The data controller will be required to demonstrate that consent was given.
Companies cannot collect data from children under 16 without verifiable parental consent.
4. Right to be forgotten
All subjects have the right to have their retained data removed from a database upon demand. Alongside this obligation is that of taking reasonable steps to inform third parties that the data subject has requested the erasure of any links to, or indeed copies of, that data.
5. Accountability and Privacy by Design
The GDPR places onerous accountability obligations on data controllers to demonstrate compliance. Data controllers must implement a number of security measures, including the requirement in certain cases to notify personal data breaches. To future-proof the regulation, the principles of data protection by design and by default are introduced. The concept of privacy by design requires data controllers to consider privacy risks at the outset of any new project.
6. Data Protection Officer
Data controllers and processors must designate a Data Protection Officer in certain circumstances as part of their accountability programme. The mandatory appointment of a data protection officer will be restricted to limited circumstances involving sensitive personal data or the monitoring of data subjects.
7. Mandatory data breach notification
In the event of a data breach, there is a mandatory obligation to notify the supervisory authority without delay and, where feasible, within 72 hours of the breach. In certain circumstances involving high risk to the data subject due to the breach, the data subject must also be notified without undue delay.
8. Stronger sanctions
The GDPR will provide for two tiers of sanctions, with maximum fines of up to EUR 20 million or 4% of annual worldwide turnover, whichever is greater.
9. Binding Corporate Rules
Binding Corporate Rules (BCR) will be given statutory recognition - they must be legally binding and apply to and be enforced by every member within the controller’s group of undertakings engaged in a joint economic activity, including their employees. Criteria for adequacy decisions are set-out, and new possibilities for adequate protection are likely to be provided in the form of codes of conduct and/or certifications.
10. Notification system
Data controllers will no longer be required to notify or seek approval with their local data protection authority. In its place, data controllers are required to put in place effective procedures and mechanisms focussing on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes. Data controllers will need to carry out a data protection impact assessment to consider the likelihood and severity of the risk, which would apply in particular to large scale processing operations.
In the UK, the Government has created a new Data Protection Act (UK DPA 2018) replacing the previous version effective since 1998. The UK DPA 2018 generally replicates the 1998 Act as far as is possible and incorporates all the provisions of the GDPR with a few minor differences and also refining some of the definitions of the GDPR. In particular Part 2 of DPA which covers aspects of GDPR which allow for national derogations in specific instances. Part 2 also sets out the scope and definitions for general processing under the GDPR.
The UK DPA 2018 has a part dealing with processing that does not fall within EU law, such as where it is related to immigration. It applies GDPR standards but it has been amended to adjust those that would not work in the national context.
It also has a part that transposes the Law Enforcement Directive (LED) (Directive 2016/680) into domestic UK law. The Directive complements GDPR and Part 3 of the UK DPA 2018 sets out the requirements for the processing of personal data for criminal ‘law enforcement purposes’.
In Ireland, the Data Protection Act 2018 was signed into law on 24 May 2018. The new Data Protection Act repeals the Data Protection Acts 1988 and 2003 with the exception of those provisions relating to the processing of personal data for the purposes of national security, defence and the international relations of the State.