The General Data Protection Regulation, which will be in force later this year, requires organisations that process European personal data to have a comprehensive compliance programme. Additionally, the UK will implement the GDPR into its new Data Protection Act, which will also be extraterritorial in scope. International organisations doing business in Europe will need to be mindful of the GDPR and the other European local data privacy laws that will apply in addition to the GDPR.
The new General Data Protection Regulation (GDPR) will be in force on 25 May 2018 and will be effective in the European Union (EU) immediately on this date. Following the United Kingdom’s (UK’s) exit from the EU, likely to be in 2019, the UK government will need to enact domestic data privacy legislation to replace the GDPR. The draft data protection law has now been published and it incorporates and supplements the GDPR. Additionally, the GDPR itself will remain relevant to UK businesses that target the EU market in the same way as other non-EU businesses. Other European countries will also implement their own local data privacy laws to supplement the GDPR as there are some provisions, such as those relating to processing criminal conviction data and relating to children’s consent, which allow local laws to be implemented to vary the GDPR requirements.
The GDPR has extraterritorial effect and applies to
The extraterritorial scope of the GDPR represents a significant expansion of EU data protection obligations to cover all processing activities relating to EU-based data subjects.
When the UK exits from the EU by 29 March 2019, the GDPR will only continue to apply to a UK organisation to the extent that it falls within the extraterritorial scope summarised above. For purely UK processing activities relating to UK individuals, the GDPR will no longer apply. Instead, the new Data Protection Act will apply (currently in draft form). It incorporates the GDPR and supplements the principles as is permitted for all EU countries. Like the GDPR, it has extra-territorial effect so that it applies to non-UK businesses who offer goods or services to UK residents or who monitor UK residents.
Most UK businesses are almost certainly going to need to transfer personal data to Europe and also to other countries outside the EU such as the United States. Currently, whilst the UK remains part of the EU, there are restrictions against transferring personal data outside the EU without consent from the individual, other than to certain “adequate” countries such as Canada or Switzerland or unless the business has in place a legally permissible mechanism, such as model clauses or binding corporate rules. The UK government will need to negotiate the UK’s “adequacy” decision from the European Commission as part of the Brexit arrangements.
Where the GDPR applies to the processing of personal data, EU companies should conduct an initial assessment on whether it (or its affiliates) are acting as a data controller or a data processor in these processing activities.
The data controller is ultimately responsible for compliance with the data protection principles which are that personal data must be
Personal data is lawfully processed if the data subject has consented to the processing or a permitted derogation applies such as legal or contractual necessity. Further, there are strict conditions imposed on whether consent is validly obtained by the data controller.
The data controller must provide a privacy notice to data subjects regarding the processing of their personal data. The information in the privacy notice is summarised below and must be provided at the time of the collection of the personal data or, if it was collected via a third party, within a reasonable period of being collected. The privacy notice must specify certain information, and ensuring that privacy notices are compliant with the GDPR is likely to be a complex process for many organisations. The privacy notice must be concise, transparent, intelligible and easily accessible, written in clear and plain language, and provided free of charge.
There are also direct obligations on data processors under the GDPR regarding
The appointment of a Data Protection Officer (DPO) is required where there is regular and/or systematic monitoring of individuals or processing on a large-scale of sensitive personal data or criminal conviction data. Organisations can still appoint a DPO even if one is not required, but it should be clear that this is an organisational role rather than required under the GDPR. The DPO must be accessible to Europe-based individuals about whom the organisation processes personal data as well as the supervisory authority. He or she must be suitably skilled and experienced but also be able to provide training to staff. Where the DPO sits in an organisation is likely to be a difficult assessment. The role must be sufficiently resourced and independent to be effective and must also have access to management meetings and be involved in relevant business discussions but without conflict of any other role the DPO may have in the organisation.
Additionally, for organisations that are not established in the EU, a representative based in the EU should be appointed. Such an appointed representative may wish to have a letter of indemnity from the organisation to cover himself/herself from liabilities arising from this role.
The GDPR includes a mandatory obligation to notify the data protection authority within 72 hours of becoming aware of the breach (except for breaches which are unlikely to cause harm to the affected individuals’ privacy rights) and, in certain circumstances where there is a high risk of harm to their privacy rights, to notify the individuals affected by the breach.
Organisations can consider taking steps to prepare for the GDPR such as the following:
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Gregory T. Parks
Mark L. Krotoski
W. Reece Hirsch