Photo of Sheila MillarPhoto of Tracy Marshall

The new General Data Protection Regulation (GDPR) (Regulation 2016/69, Apr. 27, 2016), approved by the European Parliament and the Council of the European Union, was formally published in the Official Journal of the European Union on May 4, 2016, and will replace the Data Protection Directive (Directive 95/46/EC) effective May 28, 2018. This new set of requirements has been a long time coming, but brings a host of new requirements important to companies that use or process data in the EU or simply use or process data about EU citizens anywhere in the world outside the U.S. Unlike a directive, the GDPR does not require enabling legislation by Member States to apply, but Member State action is nonetheless anticipated in areas like updating penalties and defining a “child” for purposes of the Regulation.

Among the key requirements created by the GDPR are the following:

  • Companies outside the EU that are targeting EU consumers will be subject to the GDPR.
  • Data controllers will be required to maintain paperwork, and to conduct Privacy Impact Assessments (PIAs) for more sensitive types of data processing.
  • Data subjects’ consent must be clear, unambiguous, and—for sensitive data—explicit; consent may also be withdrawn.
  • A single data protection authority (DPA) will be able to be the “lead DPA,” enabling the lead DPA and other concerned DPAs to handle local or urgent cases in manner that will (hopefully) be more streamlined.
  • DPAs will be authorized to impose fines of up to 4% of global annual turnover for certain infringements, or 2% for less serious infringements.
  • Notifications of data breaches must be accomplished within 72 hours of learning of the breach, where feasible, although notification need not be made to the DPA if it is unlikely to result in risk to the rights or freedoms of individuals.
  • Many companies will be required to designate a data protection officer (DPO).
  • Special rules will apply to children’s data. Unlike the U.S., where a “child” is defined as “under 13” per the Children’s Online Privacy Protection Act (COPPA), Member States have the ability to establish an age between 13 and 16 as the age of a “child” for purposes of the GDPR. Divergence could create real headaches for businesses given practical limitations of getting “verifiable parental consent” when dealing with teens.

The GDPR comes at a sensitive time for many companies, with tensions over the “right to be forgotten” and the EU-U.S. Privacy Shield continuing to garner criticism from some DPAs. Companies with business or customers in the EU should begin preparing for the GDPR, if they have not begun already. Creating the relevant structures and laying out appropriate documentation will rapidly consume the two years before the GDPR applies mandatorily. The starting point for many companies will be to assess current practices and identify gaps now and use that to map out a compliance plan that fully prepares them for the new GDPR world in 2018.