The European Commission plans to unify data protection within the European Union (EU) General Data Protection Regulation (GDPR). The GDPR will supersede existing 1990s regulations, prompting fundamental changes to how organisations must process personal data. A final version should be agreed by the end of 2015.

The new regulation will apply to all organisations and people based in the EU and unlike the existing directive, will also apply to organisations outside of the EU that provide goods or services to, or process the personal data of EU residents.  Currently, businesses operating across the EU can be forced to answer to data protection authorities in each EU country leading to multiple investigations on the same issue and potentially different enforcement actions. The reform proposes cases are handled by a single regulator based in the EU country where the business has its main establishment.

Data protection must be built into the design of business processes for products and services during development. By default, privacy settings for processes should be restricted.   Independent Data Protection Officers (DPOs) may be required depending on the organisation or magnitude of personal data processing. Criteria have yet to be agreed, or whether DPOs will be mandated by the GDPR.

For data to be collected and processed, explicit consent must be obtained. The right to withdraw consent must also be communicated.  Companies will have an obligation to report breaches to Supervisory Authorities and affected individuals without undue delay.  There will be significantly greater sanctions for non-compliance, including maximum fines of €1m or 2% of annual worldwide turnover, whichever is greater. 

Data subjects will have to have the right to request the erasure of their personal data.  They may also request personal data in a format that can be easily transmitted electronically to another processing system.

When are the changes expected?

Trilogue meetings (Commission, Council and Parliament) will be held to negotiate key differences.  Subject to a 3-way agreement, the GDPR is expected to be published in December 2015 thereafter coming into force after a 2-year transition period and replacing present legislation. As a regulation (not a directive) it will have an immediate effect on all EU Member States without further national legislation.

What does this mean for you?

A number of substantial changes to business processes will be required.  It will be necessary to increase governance requirements particularly regarding security arrangements; change the business culture, e.g. embedding a culture of 'privacy by design'; costs will increase to implement new processes and controls and potentially the cost of employing an independent DPO; companies will suffer financial risks from potentially substantial non-compliance fines; and companies will need to perform internal audits identifying risk exposures and providing assurance to Audit Committee's that these have been mitigated through effective controls.