Data protection

The General Data Protection Regulation - Part 2

The General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, will introduce major changes to the law on the processing of personal data in the EU.

The GDPR provides a single set of innovative rules directly applicable in the entire EU without the need for national implementing measures, which means that any personal data processing ongoing at this date must comply with the regulationThe General Data Protection Regulation (EU) 2016/679 of 27 April 2016 will apply as of May 2018. The GDPR provides a single set of innovative rules directly applicable in the entire EU without the need for national implementing measures, which means that any personal data processing ongoing at this date must comply with the regulation.

Part 1 of this article, which appeared in (2017) Winter CILExJ pp31–33 , covered the following:

• Introduction and overview
  • GDPR effective date and geographical scope of its application;
  • Changes to internal processes to comply with the accountability rules;
  • Promoting a risk-based approach; 
  • Data transfers;
  • Agreements between data controllers and their subcontractors;
  • A single data protection authority; and
  • Negative impacts in case of a legal breach.
• GDPR and the importance of self-assessment
  • So, what can be done to get started?;
  • Management awareness;
  • Accountability;
  • Know your data flows; and
  • Fair processing information.
• Know your escape routes
  • Consent as a lawful basis for data-processing;
  • Pre-requisites for valid consent: fair processing notices; and
  • Where explicit consent is one of the possible grounds for compliance.

Burden of proof and administrative penalties

It goes without saying that the controller bears the burden of proof that the above requirements for a valid consent are complied with, and this may itself result in increased costs and administrative burdens for the controller. And the maximum fines for violations of these requirements range from €10 million to €20 million, or 4% of global turnover if greater.

What has to be done to be compliant?

The changes from Directive 95/46/EC to GDPR discussed in this article will mostly affect organisations that rely on the data subject’s consent as a lawful basis. (In many situations, of course, it will be more appropriate to rely on one of the alternative grounds for processing, such as legitimate interests.) They will have to thoroughly review the consent mechanisms they have in place to ensure that the information duties are fully complied with by valid fair processing notices, that the consent mechanisms are appropriate to the nature of the consent being sought, that consent is clearly “opt-in” and freely given even where the data subject is in a state of dependency, e.g. with employees, and that the consent can be withdrawn easily. Note that until detailed guidance is issued by the grouping of data regulators, WP29, it is unclear how far consent will be available at all within an employer/employee or similar relationship. Finally, consent given in the past might well not be compliant with the new requirements and the controller may therefore need to seek new consents, potentially resulting in considerable work load.

• This article appears with the kind permission of ‘Technology Law Update’, which publishes updates, opinions and technology law news in a blog by technology lawyers at Mills & Reeve LLP, a leading UK law firm. Visit: www.technology-law-blog.co.uk/