After years of consulting, drafting and negotiating at various levels, on 15 December 2015 the final compromise text of the EU General Data Protection Regulation (GDPR) was agreed. What a milestone! Once the European Parliament and Council both adopt the agreed text, the GDPR will officially come into force, which is expected to be January 2016. Businesses will have a two-year transitional period to adapt to the new regime.
One Continent, One Law
The GDPR will apply directly in each of the 28 EU Member States. With its wide territorial scope, the GDPR will not only apply to the data processing activities of EU-based businesses, but also to various data processing activities of businesses not established in the EU to the extent they target EU data subjects.
Consent continues to be required to be freely-given, specific, informed and unambiguous (as well as explicit where sensitive data is processed). However, overall the GDPR takes a strikingly prescriptive approach in relation to consent and also (surprisingly) provides that the age of consent is 16, unless Member State law provides for a younger age of consent (which must not be below 13).
A risk-based approach has been successfully inserted into various GDPR provisions by the Council. This, no doubt, will be welcome news for businesses. Consequently, some compliance obligations will only apply to those data processing activities that are likely to result in a risk (or even high risk) for the rights and freedoms of individuals (e.g., obligations to notify data breaches or carry out privacy impact assessments).
One-stop-shop survives as a concept. What this means is, where a controller or processor has multiple establishments within the EU, the supervisory authority of the Member State where the controller/ processor has its 'main establishment' will be competent to supervise and enforce its data protection compliance across the EU. This is subject to the lead supervisory authority being required to consult and cooperate with supervisory authorities of other affected Member States. The rule is watered down considerably by exceptions providing that local supervisory authorities (other than the lead authority) will be competent to deal with subject matters that relate only to an establishment in their Member State or substantially affect only data subjects in their Member State.
Data Protection Officers will be required for businesses that – on a large scale and as part of their core activities - regularly and systematically monitor data subjects or process sensitive data.
Supervisory authorities will be equipped with broad enforcement powers, and fines for non-compliance will be substantial with a maximum fine of €20 million or 4% of the annual worldwide turnover (whichever is higher).
A GDPR Game Plan
Now is the time to act, to help you start, you can prepare your game plan with the helpful guidance in our "Ready Or Not, Here It Comes - A GDPR Game Plan".
Contributors - Frances Chen, Anna von Dietze, Sarah Gee
“Baker & McKenzie's iG360 tool is designed to assist clients to comply with legislative provisions such as the GDPR. The iG360 tool was placed second out of a shortlist of nine in the "Compliance and Technology" category at the Financial Times North American Innovative Lawyers 2015 awards, with iG360 being deemed a "standout". The Financial Times indicated: "At Baker & McKenzie, for example, a cloud-based legal compliance service called iG360 guides the firm's multinational clients through information governance laws in more than 120 countries, with 24-hour access to tailored legal advice."
To learn more about how iG360 can help you comply with the GDPR requirements, please contact .